Trust & security
Bruce-built.
Bruce-accountable.
One human runs Iris Bites. Every install, every support reply, every incident response. Here is exactly where your data lives, who can see it, and what you can expect when something breaks.
Who's behind Iris Bites
One founder. No outsourced Tier-1.
Iris Bites is founded and run by Bruce. Bruce wrote the system prompt that powers every receptionist install. Bruce wrote the testing methodology we use to rank competitors. Bruce answers every support ticket. Iris is the AI assistant who helps Bruce run the company — she handles the phone and the inbound messages — but the company itself is one human.
This matters because when something goes wrong at 11pm, the person who ships the fix is the same person who wrote the system in the first place. There is no outsourced support team learning your account from scratch. More about Bruce →
Data residency
Where your data actually lives.
We don't run servers. Your data lives where the underlying tools store it — and every one of those tools is in YOUR account, not ours.
Data type
Customer call recordings
Where it lives
Synthflow or Bland (your account) + Twilio call logs (your account)
Retention: Default 90 days; configurable per regulation
Data type
Inbound text + form messages
Where it lives
Your CRM, Airtable, or Google Sheets — wherever you already work
Retention: Permanent unless you delete
Data type
Knowledge base (hours, prices, FAQs)
Where it lives
Google Doc in your Workspace + cached in Synthflow's system prompt
Retention: Permanent, version-tracked in Google Drive
Data type
Payment info (Iris Bites fees)
Where it lives
Stripe — they hold the card, we never see it
Retention: Per Stripe's policy
Data type
Voice synthesis (ElevenLabs)
Where it lives
ElevenLabs servers, your account; voice clones (if used) stay private
Retention: Per your ElevenLabs settings
Access control
Who can see your customer call recordings.
You — by default, exclusively. The recordings live in your Synthflow / Bland account, accessible to whoever has your login.
Bruce — only when you open a support ticket about a specific call. The ticket grants read-access to that recording; Bruce reviews; the ticket closes; access ends. There is no standing access.
The underlying vendors — Synthflow, Bland, Twilio, etc. — have their own access policies, listed in their privacy pages. They access your data only for the operational reasons you'd expect: storing it, serving it back to you, debugging vendor-side issues.
Nobody else. No subcontractors, no offshore Tier-1, no investor dashboards.
Regulatory posture
HIPAA, GDPR, CCPA — the specific answers.
HIPAA
Iris Bites itself is not a Covered Entity and we don't store PHI on our infrastructure. For dental and medical installs, we configure your stack on HIPAA-compliant tiers of Twilio, Google Workspace, and Synthflow — and route call recordings to a HIPAA-compliant storage account in YOUR name. A Business Associate Agreement (BAA) signed by Iris Bites is available on the Enterprise tier; for Pilot and Solo customers in healthcare we refer you to the underlying vendors' BAAs (which are the ones that actually matter for PHI).
GDPR
For data Iris Bites itself processes (your account, billing, support tickets), we're the controller — see our privacy policy for lawful-basis grounding, rights of access / erasure / portability, and how to exercise them. For the data Iris handles on your behalf inside YOUR install (your customers' call recordings, lead messages), you are the controller and we are the processor. A Data Processing Agreement (DPA) is available on request for any EU-resident customer.
CCPA
We don't sell personal information. We don't share it with advertisers. The only third parties who see Iris-Bites-collected data are our own infrastructure providers (Stripe for payments, Resend for email), and they process it on our behalf under processor terms. California residents can request deletion via privacy@irisbites.com — we delete within 7 days.
The hard promises
You keep your credentials. Always.
These are the structural guarantees baked into every Iris Bites install. They're not policies that could change — they're the way we build, by design.
Every credential in your name.
When we install on Twilio, Synthflow, ElevenLabs, Google Workspace, or any other vendor, the account is created under your email, your billing, your phone-number-of-record. We never hold the master credential.
Fire us tomorrow, the install keeps running.
Because the credentials are yours, cancelling the Iris Bites retainer doesn't turn anything off. The AI keeps answering your phone. The lead responder keeps replying. We lose access to our support inbox for your account — that's it.
We don't shadow-copy your data.
Customer call recordings, lead messages, KB documents — all live in YOUR accounts. We don't pipe a copy to an Iris Bites database. The closest thing we keep is a project tracker noting which tools we configured on which date; no PII inside it.
Bruce sees only what you let him see.
When you open a support ticket, Bruce gets read-access to the specific call recording or message thread you're asking about — and only for the duration of the ticket. There is no 'Iris Bites admin dashboard' silently mirroring your account.
Service-level commitments
SLA, per tier.
These are commitments, not aspirations. If we miss them, you can cancel the retainer and we'll prorate-refund the unused portion of the current month.
Setup Hour
- Response
- 24h (business days)
- Install commitment
- Session within 5 business days
- Uptime
- N/A — single session
Pilot / Industry Pilot
- Response
- Same business day
- Install commitment
- 7 days from kickoff
- Uptime
- 99.5% on Iris-managed config (vendor-side outages excluded)
Solo
- Response
- 8 hours (business days)
- Install commitment
- 14 days from kickoff
- Uptime
- 99.7% on Iris-managed config
Operator
- Response
- 4 hours (business hours)
- Install commitment
- 30 days from kickoff
- Uptime
- 99.9% on Iris-managed config + after-hours pager for outage events
Enterprise
- Response
- Contractual — typically 2h in stated coverage windows
- Install commitment
- Scoped per build
- Uptime
- 99.9%+ contractual, BAA / DPA on request
These are our service targets. We publish independently measured uptime after each full quarter of production.
When something breaks
Incident response policy.
0–15 min: detection
Bruce monitors error rates from the underlying tools (Synthflow, Twilio, Anthropic API). Vendor-side outages get flagged automatically; Iris-side configuration errors get caught by health checks running every 5 minutes.
15 min–2 hours: triage + customer notification
For Operator and Enterprise outages: direct email + SMS to your account contact within 30 minutes of detection, describing what's broken and the working theory. For Pilot and Solo: email notification within 2 hours, plus a status update on the support page.
2–24 hours: fix + root-cause
Vendor-side incidents: we relay vendor status and apply workarounds where possible. Iris-side incidents: Bruce ships a fix in writing within 24 hours, plus a short root-cause email so you know what happened and how it's prevented from recurring.
48–72 hours: public disclosure for security incidents
Any incident that exposes customer data — yours or anyone else's — gets disclosed publicly on this page within 72 hours. Affected customers get a direct email within 24. This is the policy whether the breach is our fault or a vendor we relied on.
More questions on trust?
Email privacy@irisbites.com or read the FAQ — the security and data section answers the most common ones.
Trust page version 1 · Last reviewed 2026-05-23