RAINCLOUD analyzes your competitive deals on our own AWS infrastructure, with read-only access to systems you already trust, and zero training of any model on your data. We act as a data processor on your behalf — your organization remains the data controller. Below: exactly what we touch, where it runs, and how to keep us honest.
Every architectural decision flows from three commitments. Everything else on this page is the supporting detail.
We never write to your CRM, your call platform, or any production system. Connections are scoped to read-only API tokens or OAuth grants you can revoke at any time. You are always in control of what we can see.
Our language models run on AWS infrastructure dedicated to RAINCLOUD — our own AWS account, isolated VPC, no shared SaaS in the path. Your call data is never sent to OpenAI, Anthropic, Google, or any third-party AI API. End-to-end architectural control.
We do not train, fine-tune, or improve any model on your call recordings, CRM data, or competitive intelligence outputs. Your data analyzes your business. It does not become a feature in someone else's product.
The honest version of "what data does RAINCLOUD see?" — written so a security team can read it once and check the boxes.
Via your call platform's read-only API: Gong, Chorus, Fireflies, CallRail, and similar. We only access calls flagged or filtered for the engagement scope.
Stages, amounts, close dates, competitor mentions, win/loss outcomes — via read-only Salesforce, HubSpot, or similar API tokens.
Only what your team explicitly shares with us as part of the engagement.
Battlecards, win/loss reports, competitive radar, board narratives — synthesized from the data above and delivered to your inbox.
No OpenAI. No Anthropic. No Gemini. No public LLM endpoints. Our analysis runs on private models on infrastructure we control.
Your call recordings and deal data are inputs to your analysis only. They are never used to improve a model that touches another customer.
Our deliverables are aggregated artifacts — not raw conversations. Raw audio and transcripts stay in your call platform.
If a system contains data we don't need (HR records, financials, support tickets), we don't connect to it. Scope is documented and signed off before kickoff.
For your security team's review. We're happy to discuss any of these in a vendor-review call and adjust where it makes sense.
All data flowing into RAINCLOUD systems is encrypted in transit via TLS 1.2+. Data at rest is encrypted using AES-256 — the AWS default for S3, EBS, and RDS storage. Encryption keys are managed via AWS Key Management Service (KMS) with AWS-enforced rotation policies.
RAINCLOUD runs entirely on Amazon Web Services (AWS) — primarily in the us-east-1 region. AWS is our single infrastructure-of-record for compute, storage, model serving, and key management. We keep additional sub-processors to a minimum and disclose the current list in the engagement agreement. We notify customers in writing before adding any new sub-processor that touches customer data.
By default, customer data is stored in AWS us-east-1 (Northern Virginia, USA). Data does not cross AWS regions without explicit customer consent. Customers with EU residency requirements can request EU-only processing in AWS eu-west-1 (Ireland) or eu-central-1 (Frankfurt) — discussed during engagement scoping.
Working analysis files are retained for the duration of the engagement plus 90 days, then deleted. Final deliverables (battlecards, reports, narratives) are retained at your option for ongoing reference, or deleted on request. You can request deletion of all RAINCLOUD-held data at any time and we will confirm completion in writing within 5 business days.
RAINCLOUD operates as a data processor on your behalf — your organization remains the data controller for the customer data we analyze. We comply with applicable data-protection regulations (GDPR, CCPA) in that role. Our security posture covers the controls security teams typically care about: encryption in transit and at rest, scoped read-only access, access logging, change management, and a documented incident response process. We are not currently certified to a third-party security framework at this stage of the company; we are happy to walk your security team through our specific controls in a vendor-review call. We do not handle PHI and are not HIPAA-covered.
We sign mutual NDAs as a default. We sign Data Processing Addenda (DPAs) on request — our standard DPA is available on request, or we can review yours. We complete vendor security questionnaires (SIG, CAIQ, custom) and join vendor-review calls with your security team before contract signature.
Access to customer data is restricted to the senior practitioners assigned to your engagement — typically 1 to 3 named individuals identified at kickoff. All access is logged and auditable. Customers can request an access log at any time. Access is revoked when an engagement ends or a team member departs.
In the unlikely event of a security incident affecting customer data, we will notify affected customers in writing within 72 hours of confirmed detection (matching the GDPR Article 33 standard), with a description of what happened, what data was affected, and the remediation plan. We support customers' regulatory notification obligations (GDPR Article 33, state breach laws, etc.) as their data processor.
Read-only API tokens you grant us can be revoked instantly from your side. Once revoked, our access stops. We will confirm receipt and proceed with deletion per your engagement's offboarding terms.
Most of what we get from security teams during vendor review. If yours isn't here, ask us directly — we'll add it.
No. Our language models run on private infrastructure. Your data does not transit OpenAI, Anthropic, Google, or any third-party AI API. This is an architectural commitment, not a configuration setting.
Yes. We can review your standard DPA or provide ours for your review. Either path takes a few business days. No surprises in the standard terms — read-only access, encryption, deletion on request, breach notification.
Working analysis files for the duration of the engagement plus 90 days, then deleted. Final deliverables stay accessible to you for as long as you want them. You can request deletion of all RAINCLOUD-held data at any time, with confirmation in writing within 5 business days.
Yes. Read-only API tokens we use are visible in your platform's admin logs. We can also provide our internal access logs on request. Frequency: ad-hoc on customer request, or quarterly if you prefer a standing cadence.
Working data is deleted within 90 days of engagement end. Final deliverables (battlecards, reports, etc.) are retained at your option for future reference, or deleted on your request. We confirm completion in writing within 5 business days of the deletion request.
Not at this stage of the company. We operate to industry-standard security controls — encryption in transit and at rest, scoped read-only access to your systems, access logging, change management, and a documented incident response process — and can walk your security team through our specific controls in a vendor-review call. As we grow, we'll pursue formal attestations appropriate to our customer base; if your vendor onboarding requires a specific certification, tell us and we'll discuss what's reasonable to commit to.
By default, all customer data is stored in AWS us-east-1 (Northern Virginia, USA). Customers with EU residency requirements can request EU-only processing in AWS eu-west-1 (Ireland) or eu-central-1 (Frankfurt) — discussed during engagement scoping.
Talk to us. Our model is read-only access via your platform's API, which means voice data already lives in a service you've vetted (Gong, Chorus, etc.). What flows to RAINCLOUD is transcripts and metadata — not raw audio. If you have additional constraints, we'll work them out before contract.
We've worked with security teams at organizations from Series A startups to public-company-owned subsidiaries. Send us your questionnaire, schedule a call, or both. We'd rather sort this out before contract than answer it during.
Talk to RAINCLOUD →