Your data, in clear terms.
No weasel words.

Read-only.
Revocable.

We connect via Mindbody's official Public API using read-only credentials. We pull attendance, memberships, bookings, sales, and member profiles on a nightly schedule. We never write to Mindbody. We cannot change a booking, a membership, a charge, or a profile — by design.

You can revoke access in one click inside Mindbody. Otto goes dark immediately. We delete ingested data within 30 days (sooner on request).

Defense in depth,
stated plainly.

• Encryption in transit. TLS 1.3 everywhere.
• Encryption at rest. AES-256 across database, backups, long-term storage.
• Secrets isolation. Mindbody credentials in a dedicated vault; no plaintext access.
• Least-privilege access. Two engineers can access prod. Both carry hardware keys.
• SOC 2 Type I achieved 2025. Type II audit in progress.
• Annual third-party pen test. Report available under NDA.

Your members are your members.

Member data belongs to your studio. We are a processor under your direction — we don't sell, don't share, don't train general-purpose models on it.

Anonymized, aggregated patterns may improve the scoring model. No individual member is identifiable in that data, ever.

Who touches your data.

• Supabase — database, auth, encrypted credential vault.
• Vercel — application hosting.
• Anthropic — LLM API for message drafting; zero-retention, zero-training agreement.
• Stripe — billing and payments.
• HighLevel (GHL) — booking, conversation hub, SMS/email outreach.
• Zoho — transactional email (briefs, reports, alerts).

Mindbody is your source system, not our subprocessor — read-only access, never written to.

What happens if something breaks.

24-hour notification commitment for any confirmed incident affecting your studio. Email from a human — what we know, what we don't, what we're doing about it.

Responsible disclosure: security@octoemployee.com. Response within one business day.