E2 Solutions · Command Center

Security & Trust

Last reviewed May 23, 2026

Command Center holds your customers, your conversations, your jobsite photos, and your business reputation. We take that seriously. This page is the plain-English summary of how we protect that data and how you stay in control of it.

Our five promises

The non-negotiables. Written into our Terms of Service.

Promise 01

We will never ask for your passwords

Every connection (Facebook, Google, etc.) uses OAuth — the same standard banks use. If anyone claiming to be from Command Center asks for an account password, it's not us.

Promise 02

We will never sell your data

Not your customers, not your leads, not your messages, not your jobsite photos. No marketing partners, no data brokers, no “anonymized analytics” loophole.

Promise 03

We will never train AI on your data

Calls to Anthropic's Claude API are stateless — data goes in for the specific generation, results come back, nothing is retained for training. Your voice samples shape YOUR posts only.

Promise 04

You can revoke us in 30 seconds

Every connection is revocable at the source — Facebook, Google, etc. We never depend on you using OUR dashboard to pull access. Canonical control is always at the service.

Promise 05

When you need us, you get a real human

Command Center uses AI to do the boring work — drafting posts, writing nurture sequences, summarizing calls. But when YOU need to reach US, you get Carson or Alaina on the phone. No chatbot. No tier-1 support queue. No “submit a ticket” button. You call, we pick up. That's the whole reason we cap at 100 clients.

Promise 06

We only record calls from your customers

Call Recording (the $50/mo add-on) records inbound calls ONLY when the caller's number matches a contact you have on file. If your dad, a wrong number, or anyone else unknown calls your business line, the platform recognizes them as unknown and records nothing — not on our servers, not on Twilio's servers. We delete the recording at the source. Outbound calls (when YOU dial out from inside Command Center) are always recorded because you chose to make them. This is hard-coded policy, not a setting you have to remember to flip.

Security at a glance

The technical layers protecting your account.

TransportHTTPS (TLS 1.2+) on every connection. Auto-renewed SSL certificates via our hosting provider.
AuthenticationMagic-link login via email. No passwords for us to leak. Two-factor authentication (TOTP) available in account settings.
Data isolationMulti-tenant Postgres with Row-Level Security. One client cannot read another client's data, even if a query bug occurred. Defense-in-depth verified on every server action.
Secret storageIntegration tokens (Meta page tokens, Google OAuth tokens, Twilio credentials) encrypted at rest.
BackupsDaily encrypted backups + point-in-time recovery (Supabase Pro). Disaster-recovery snapshots persist up to 90 days, then overwritten.
PaymentsProcessed entirely by Stripe (PCI-DSS Level 1 certified). Command Center never sees or stores card numbers.
Access logsEvery login + connected-account action is logged. Your audit trail is visible at Settings → Activity inside Command Center.
Email deliverabilityDKIM, SPF, and Return-Path verified. Custom sender domain so messages are signed as you, not as a generic mass-mailer.

Where your data lives

Command Center is built on a small number of trusted providers. Each only sees the data needed for its specific job. We name every sub-processor publicly because you deserve to know.

Supabase

AWS Canada (Central)

Primary database, authentication, file storage.

Vercel

Global edge, primary processing in North America

Application hosting + edge network.

Cloudflare

Global

DNS, domain registration, content delivery.

Twilio

North America

SMS and voice routing.

Postmark

United States

Transactional and marketing email delivery.

Anthropic

United States

Claude API for AI content generation. Anthropic does not retain or train on data sent through their API.

Meta (Facebook / Instagram)

Per Meta's policies

Only when you approve a post for publication. We use your authorized Page Access Token.

Google

Per Google's policies

Calendar, Business Profile publishing, OAuth identity. Only when you authorize and approve.

Stripe

United States / Canada

Subscription billing + payment processing.

Daily.co

United States

In-app video calls (when enabled by your team).

Replicate

United States

AI image and video generation (Studio features). Stateless API; no data retained.

Each provider has their own security practices and certifications. We choose providers with strong track records (Stripe is PCI-DSS Level 1; Supabase, Vercel, Twilio, Postmark are SOC 2 attested). They are independent parties — their controls are theirs to maintain.

Revoke our access — quick links

You can revoke Command Center's access to any connected service directly at the source. We never depend on you using OUR dashboard to do it. Canonical control is always at the service.

Facebook / Instagram

facebook.com/settings?tab=business_tools

Find “Command Center” in the list, click Remove.

Google account permissions

myaccount.google.com/permissions

Find Command Center, click Remove Access.

Google Business Profile managers

business.google.com

Settings → Managers → Remove.

Stripe payment connection

dashboard.stripe.com/settings/applications

Find Command Center, click Revoke access.

Twilio (SMS routing)

Twilio doesn't use OAuth. SMS routes through numbers ported to Twilio under your account or our shared infrastructure. To stop SMS routing or transfer the number, email support@runcommandcenter.ca — we'll wind down or transfer within 5 business days.

Compliance

PIPEDA

Personal Information Protection and Electronic Documents Act (Canada). Covers how we collect, use, and disclose personal information.

BC PIPA

Personal Information Protection Act (British Columbia). Provincial coverage for our primary jurisdiction.

CASL

Canada's Anti-Spam Legislation. Every commercial message includes sender identity + unsubscribe; automation rules enforce consent at the platform level.

PCI-DSS

Payment Card Industry Data Security Standard. Handled fully by Stripe (Level 1). We never touch card data.

We are a small Canadian company. We are not SOC 2 or ISO 27001 certified — those frameworks are appropriate for enterprise vendors, not for the SMB market we serve. Our technical controls (RLS isolation, encryption at rest, OAuth-only integrations, sub-processor transparency) are the substance those frameworks audit; we deliver them without the audit overhead so we can keep prices fair.

Breach notification policy

No system is unbreakable. If we discover a breach that affects your data:

  • We will notify affected clients within 72 hours of discovery.
  • Notification will include: what happened, what data was affected, what we're doing, what you should do.
  • We will cooperate fully with the Office of the Privacy Commissioner of Canada and the BC Information & Privacy Commissioner as required.
  • Post-incident, we publish a public post-mortem with the root cause and the changes we've made. (Within 30 days, with affected-client details redacted.)

Data ownership and portability

Your data is yours. Always.

  • One-click export— CSV + JSON of everything, from your dashboard, any time, no questions asked.
  • 30-day off-boarding— if you cancel, your full export remains accessible for 30 days. After that, all your data is permanently deleted from active systems.
  • Real database portability— we run on standard Postgres. Not a proprietary format. You can take a full dump and migrate anywhere.
  • API access to your own data— documented endpoints; you don't need our permission to query.

Reporting a security issue

If you find a vulnerability in Command Center or believe your account has been compromised, reach out immediately. We respond within 24 hours.

Security contact

security@runcommandcenter.ca

We commit to working with you on responsible disclosure. We will not pursue legal action against good-faith security researchers who follow these guidelines: don't access more data than necessary to demonstrate the issue, don't degrade service for other clients, and give us reasonable time to fix before public disclosure.

About us

Command Center is operated by E2 Solutions, a BC-registered sole proprietorship (FM1106808). We're based in Langley, British Columbia, Canada. We answer the phone ourselves.

Mailing address: 7179 201 St #58, Langley BC V2Y 2Y9, Canada