This is Redcliffe’s current operating posture: where customer data lives, when providers process it, how accounts are separated, and who retains the approval decision. We publish the controls we can substantiate and leave unsupported badges off the page.
Submitted customer work is stored server-side and is not sent indiscriminately from provider to provider. Each service has a defined role.
Stored customer data
United States — AWS us-west-2 (Oregon)
The primary Supabase project stores account, authentication, workspace, project, session, review-record, private creative, and selected website-capture data in this region.
Application processing
Vercel-hosted application with global delivery
Requests can be routed through global infrastructure. Submitted content is sent to an AI provider only when needed to perform the customer’s requested Review, Create, Update, search, vision, or retrieval task.
Payment processing
Paddle acts as merchant of record
Checkout, card processing, invoices, applicable taxes, cancellations, and refunds are handled by Paddle. Redcliffe does not store full payment-card details.
Access and records
Controls around the work, not just the login.
The useful security boundary is the whole path: identity, account, project, model, content access, machine scope, reviewer action, and export.
Account and project isolation
Database Row-Level Security, private storage, and server-side account, project, model, and role checks keep customer work inside its authorised boundary.
Authenticated cross-account route attempts are covered by an automated two-account access suite.
Encryption
Hosted application traffic uses HTTPS/TLS. Primary database, authentication, storage, and hosting providers encrypt customer data at rest and in transit.
Secrets and service credentials stay on trusted server paths and are not exposed to browser clients.
Metadata-first support
Routine Redcliffe administration uses account, usage, status, and audit metadata rather than submitted or generated customer content.
A content-access exception requires a reason, defined scope, actor, expiry, and audit record.
Role and access separation
Customer roles and Redcliffe platform-admin capabilities are separate. Internal security review can inspect access logs without broad customer-workspace powers.
Customer sign-off identities and publication decisions remain inside the customer’s approval workflow.
Scoped machine access
Agent Gateway credentials are account-scoped, shown once, stored as hashes, and checked against project, model, mode, scope, entitlement, and rollout controls.
External machine access is default-off until Redcliffe enables the agreed account or user scope.
Preserved review evidence
Submitted content, findings, cited basis, reviewer actions, and supported exports stay connected in the review record.
Redcliffe describes records as preserved and auditable; it does not rely on an unsupported immutability claim.
AI and learning boundary
Your work is not provider training material.
Redcliffe can get better without turning customer content into a communal dataset. The boundary distinguishes account-local preference learning from content-free platform reliability signals.
No public-foundation-model training
Redcliffe does not opt customer inputs or outputs into provider training or submit customer content as model-improvement feedback.
No cross-account content learning
Submitted or generated copy, reviewer comments, source spans, brand context, and sign-off identities are not moved into another customer’s workspace or a shared content corpus.
Bounded Redcliffe improvement
Account-specific feedback can improve that customer’s experience. Content-free operational signals and aggregated patterns can improve reliability without carrying customer copy with them.
Agent Gateway
Machine access inherits the same boundary.
REST and MCP do not create a privileged route around the customer workspace. They use scoped credentials and return work to the same review record and customer-owned approval path.
Submit Review, Create, and Update jobs; read status and structured results; request human review; and receive signed status callbacks where configured.
Every job is checked
The client, account, project, model, mode, key scope, entitlement, rollout gate, rate limit, and idempotency boundary are evaluated before work proceeds.
Agents may not
Approve, sign off, suppress findings, publish, grant their own access, or cross into another customer’s account or project.
Core providers
Named, bounded, and reviewable.
The core service providers below have distinct jobs. The complete public list explains the data class and processing location for each.
We can work through a security questionnaire, processing scope, international transfers, retention and deletion, support access, and appropriate data-processing terms before a qualifying Enterprise workflow is activated.
Redcliffe does not currently claim its own SOC 2 or ISO certification, UK-only hosting, regulator approval, 24/7 support, or contractual service credits unless expressly agreed in writing.