Questions Clients Have Asked

This page answers real due diligence questions clients and prospects have asked about Sales Triage, Revenue Engine, AI, security and data protection.

If one client has asked a useful question, future clients should not have to ask it again.

Where is Revenue Engine hosted?

Revenue Engine is currently hosted on a UK virtual server with Fasthosts.

During beta, the web application and database are hosted on the same virtual server.

Where is client data stored?

Data stored directly in the Revenue Engine platform is currently stored in the UK.

Some third-party services, such as AI providers, may process data outside the UK depending on the feature being used.

Are you a data processor, and do you have an Article 28 agreement?

For client platform data, yes.

Where your organisation stores contacts, prospects, notes, activities, opportunities or emails in the platform, your organisation is the data controller and Sales Triage is the data processor acting on your instructions. Our Data Processing Terms, set out in our Terms and Conditions, are intended to operate as the UK GDPR Article 28 data processing agreement and cover our obligations as processor (security measures, approved subprocessors, assistance with data subject requests, breach notification, and return or deletion of data).

The account-level and usage data we generate to run the service (account administration, billing, security and operational logs) is processed by Sales Triage as a controller. The Privacy Policy explains this split in full.

Is data encrypted in transit?

Yes.

Traffic to the platform is protected using HTTPS/TLS.

Is data encrypted at rest?

Partly, and we are precise about which parts.

Stored API credentials and integration secrets (such as third-party API keys and webhook secrets) are encrypted at rest using AES-256-GCM.

The application database is not yet protected by full-database encryption at rest, and stored OAuth tokens for connected mailboxes and calendars are not yet encrypted at the field level. Both are planned improvements before wider production use.

If file or document storage becomes a broader part of the service, encryption at rest will be included in the production security plan.

Do you have multi-factor authentication?

Yes. Multi-factor authentication is enabled for every platform user and is required at sign-in, including for administrators.

After their password, each user completes a second step with an authenticator app (for example Authy, Google Authenticator or Microsoft Authenticator) or a one-time code sent to their registered email address. Users cannot disable it on their own account.

Who has access to production systems?

During beta, production access is limited to the founder.

Do you have separate development, staging and production environments?

Not yet.

Revenue Engine is currently operating with production only during beta.

A separate staging environment is planned before wider production use.

How are backups handled?

During beta, Revenue Engine uses weekly full backups and daily incremental backups.

Backups are held on the server and also copied offsite to UK-hosted Microsoft OneDrive.

Backup retention and restore testing are being formalised as part of the improvement plan.

Have you tested restoring from backup?

A formal restore test has not yet been completed and documented.

This is a priority improvement.

How quickly could you recover the service if the server failed?

During beta, the realistic recovery target is within 24 hours.

This is a practical recovery target, not a formal uptime SLA.

Are you ISO 27001 certified?

No.

Sales Triage is not currently ISO 27001 certified.

We are familiar with ISO 27001 and have experience operating businesses with security certifications, but the current Sales Triage entity does not hold ISO 27001 certification.

Are you SOC 2 certified?

No.

Sales Triage is not currently SOC 2 certified.

Do you have Cyber Essentials?

No.

Cyber Essentials is under review as a proportionate next step.

Have you completed penetration testing?

No independent penetration test has been completed yet.

Independent testing is planned before accepting larger enterprise clients or before wider production use.

Is client data used to train AI models?

No.

Client content submitted through Revenue Engine AI features is not used to train AI models under the commercial API services used by Sales Triage.

Which AI providers do you use?

The AI providers currently in use are Anthropic and OpenAI.

The provider used may vary by feature and may change as the service evolves. If we engage a new AI provider, it is added to the supplier and subprocessor list, and we route personal data to it only once it is engaged under an appropriate data processing agreement.

Can AI providers process data outside the UK?

Yes.

AI providers may process data outside the UK, including in the United States.

Where international transfers occur, Sales Triage relies on appropriate contractual safeguards where required.

Where are video messages stored?

Video messages recorded in the platform are hosted and streamed by a specialist video provider rather than on the application server.

The video and audio you record, along with the video title and thumbnail, are processed by that provider to host and play back the message. The provider is listed on the Suppliers and Subprocessors page.

Does Revenue Engine read my whole mailbox?

No.

Where email functionality is enabled, Revenue Engine connects to the user's chosen mailbox for the functionality authorised by the user.

The platform does not operate as a separate bulk sending service and does not monitor general mailbox content outside authorised functionality.

What happens if you discover a data breach?

Sales Triage will investigate, contain and assess the incident.

Where client data is affected, Sales Triage will notify affected clients where required by law or contract and support clients with any related regulatory obligations.

Sales Triage will follow UK GDPR breach notification requirements.

Can clients export their data?

Yes, with our help today.

Our terms provide for client platform data to be exportable around termination (the Privacy Policy describes a 30-day window) and then deleted. Today this is handled manually on request: we will produce and return a copy of the client's platform data. A self-serve export is a priority improvement and is on the Continuous Improvement plan; we would rather say that plainly than imply a one-click export that is not built yet.

What happens if a client leaves Sales Triage?

Client platform data is handled in line with the applicable terms and data processing terms.

In practice today, on termination we will return a copy of the client's platform data on request and then delete it. We are formalising this into a documented, time-bound process - a self-serve export followed by an automated deletion step - as a priority improvement (see Continuous Improvement).

How is my data deleted if we decide not to proceed?

If you decide not to continue, we will delete your platform data and confirm once it is done.

Today that deletion is carried out manually by the founder on request rather than by an automated, time-bound process. A documented, automated deletion process (with a self-serve export available beforehand) is a priority improvement. Copies held in backups age out on the normal backup rotation rather than being individually removed.

What happens to my data if Sales Triage winds down?

You would be able to obtain a copy of your platform data so you can move it to another system.

This is a fair question for any small supplier, and we would rather answer it directly. The platform data you store is yours; if we wound the service down, we would make your data available for export and then delete it. As above, export is founder-assisted today, with a self-serve export on the improvement plan.

Do you sell personal data?

No.

Sales Triage does not sell personal data.

Do you process special category data?

Revenue Engine is not intended to process special category data.

Users should not submit special category data unless this has been expressly agreed in writing.

What should happen when a new question is asked?

If a client asks a new security, privacy or AI question:

  1. answer the client directly
  2. add the question here if it is useful to future clients
  3. update the relevant page if the answer changes public documentation
  4. add an improvement item if the question exposes a gap
  5. add a changelog entry if public documentation changes