E2 Solutions · Command Center
Security & Trust
Last reviewed May 23, 2026
Command Center holds your customers, your conversations, your jobsite photos, and your business reputation. We take that seriously. This page is the plain-English summary of how we protect that data and how you stay in control of it.
Our five promises
The non-negotiables. Written into our Terms of Service.
Promise 01
We will never ask for your passwords
Every connection (Facebook, Google, etc.) uses OAuth — the same standard banks use. If anyone claiming to be from Command Center asks for an account password, it's not us.
Promise 02
We will never sell your data
Not your customers, not your leads, not your messages, not your jobsite photos. No marketing partners, no data brokers, no “anonymized analytics” loophole.
Promise 03
We will never train AI on your data
Calls to Anthropic's Claude API are stateless — data goes in for the specific generation, results come back, nothing is retained for training. Your voice samples shape YOUR posts only.
Promise 04
You can revoke us in 30 seconds
Every connection is revocable at the source — Facebook, Google, etc. We never depend on you using OUR dashboard to pull access. Canonical control is always at the service.
Promise 05
When you need us, you get a real human
Command Center uses AI to do the boring work — drafting posts, writing nurture sequences, summarizing calls. But when YOU need to reach US, you get Carson or Alaina on the phone. No chatbot. No tier-1 support queue. No “submit a ticket” button. You call, we pick up. That's the whole reason we cap at 100 clients.
Promise 06
We only record calls from your customers
Call Recording (the $50/mo add-on) records inbound calls ONLY when the caller's number matches a contact you have on file. If your dad, a wrong number, or anyone else unknown calls your business line, the platform recognizes them as unknown and records nothing — not on our servers, not on Twilio's servers. We delete the recording at the source. Outbound calls (when YOU dial out from inside Command Center) are always recorded because you chose to make them. This is hard-coded policy, not a setting you have to remember to flip.
Security at a glance
The technical layers protecting your account.
| Transport | HTTPS (TLS 1.2+) on every connection. Auto-renewed SSL certificates via our hosting provider. |
| Authentication | Magic-link login via email. No passwords for us to leak. Two-factor authentication (TOTP) available in account settings. |
| Data isolation | Multi-tenant Postgres with Row-Level Security. One client cannot read another client's data, even if a query bug occurred. Defense-in-depth verified on every server action. |
| Secret storage | Integration tokens (Meta page tokens, Google OAuth tokens, Twilio credentials) encrypted at rest. |
| Backups | Daily encrypted backups + point-in-time recovery (Supabase Pro). Disaster-recovery snapshots persist up to 90 days, then overwritten. |
| Payments | Processed entirely by Stripe (PCI-DSS Level 1 certified). Command Center never sees or stores card numbers. |
| Access logs | Every login + connected-account action is logged. Your audit trail is visible at Settings → Activity inside Command Center. |
| Email deliverability | DKIM, SPF, and Return-Path verified. Custom sender domain so messages are signed as you, not as a generic mass-mailer. |
Where your data lives
Command Center is built on a small number of trusted providers. Each only sees the data needed for its specific job. We name every sub-processor publicly because you deserve to know.
Supabase
AWS Canada (Central)
Primary database, authentication, file storage.
Vercel
Global edge, primary processing in North America
Application hosting + edge network.
Cloudflare
Global
DNS, domain registration, content delivery.
Twilio
North America
SMS and voice routing.
Postmark
United States
Transactional and marketing email delivery.
Anthropic
United States
Claude API for AI content generation. Anthropic does not retain or train on data sent through their API.
Meta (Facebook / Instagram)
Per Meta's policies
Only when you approve a post for publication. We use your authorized Page Access Token.
Per Google's policies
Calendar, Business Profile publishing, OAuth identity. Only when you authorize and approve.
Stripe
United States / Canada
Subscription billing + payment processing.
Daily.co
United States
In-app video calls (when enabled by your team).
Replicate
United States
AI image and video generation (Studio features). Stateless API; no data retained.
Each provider has their own security practices and certifications. We choose providers with strong track records (Stripe is PCI-DSS Level 1; Supabase, Vercel, Twilio, Postmark are SOC 2 attested). They are independent parties — their controls are theirs to maintain.
Revoke our access — quick links
You can revoke Command Center's access to any connected service directly at the source. We never depend on you using OUR dashboard to do it. Canonical control is always at the service.
Facebook / Instagram
facebook.com/settings?tab=business_tools
Find “Command Center” in the list, click Remove.
Stripe payment connection
dashboard.stripe.com/settings/applications
Find Command Center, click Revoke access.
Twilio (SMS routing)
Twilio doesn't use OAuth. SMS routes through numbers ported to Twilio under your account or our shared infrastructure. To stop SMS routing or transfer the number, email support@runcommandcenter.ca — we'll wind down or transfer within 5 business days.
Compliance
PIPEDA
Personal Information Protection and Electronic Documents Act (Canada). Covers how we collect, use, and disclose personal information.
BC PIPA
Personal Information Protection Act (British Columbia). Provincial coverage for our primary jurisdiction.
CASL
Canada's Anti-Spam Legislation. Every commercial message includes sender identity + unsubscribe; automation rules enforce consent at the platform level.
PCI-DSS
Payment Card Industry Data Security Standard. Handled fully by Stripe (Level 1). We never touch card data.
We are a small Canadian company. We are not SOC 2 or ISO 27001 certified — those frameworks are appropriate for enterprise vendors, not for the SMB market we serve. Our technical controls (RLS isolation, encryption at rest, OAuth-only integrations, sub-processor transparency) are the substance those frameworks audit; we deliver them without the audit overhead so we can keep prices fair.
Breach notification policy
No system is unbreakable. If we discover a breach that affects your data:
- We will notify affected clients within 72 hours of discovery.
- Notification will include: what happened, what data was affected, what we're doing, what you should do.
- We will cooperate fully with the Office of the Privacy Commissioner of Canada and the BC Information & Privacy Commissioner as required.
- Post-incident, we publish a public post-mortem with the root cause and the changes we've made. (Within 30 days, with affected-client details redacted.)
Data ownership and portability
Your data is yours. Always.
- One-click export— CSV + JSON of everything, from your dashboard, any time, no questions asked.
- 30-day off-boarding— if you cancel, your full export remains accessible for 30 days. After that, all your data is permanently deleted from active systems.
- Real database portability— we run on standard Postgres. Not a proprietary format. You can take a full dump and migrate anywhere.
- API access to your own data— documented endpoints; you don't need our permission to query.
Reporting a security issue
If you find a vulnerability in Command Center or believe your account has been compromised, reach out immediately. We respond within 24 hours.
Security contact
We commit to working with you on responsible disclosure. We will not pursue legal action against good-faith security researchers who follow these guidelines: don't access more data than necessary to demonstrate the issue, don't degrade service for other clients, and give us reasonable time to fix before public disclosure.
About us
Command Center is operated by E2 Solutions, a BC-registered sole proprietorship (FM1106808). We're based in Langley, British Columbia, Canada. We answer the phone ourselves.
Mailing address: 7179 201 St #58, Langley BC V2Y 2Y9, Canada