Site Rep Trust Status

Last updated: 2026-05-31.

This page is a truth ledger, not a compliance certification. It separates confirmed product controls from claims that still need legal, provider, or production evidence.

Confirmed product controls

• Source-backed answer behavior: the public bot answers from approved sources or refuses when proof is missing.
• Owner visibility: leads, conversations, unknown questions, source gaps, install health, exports, notifications, and deletion-review requests are visible in the owner workspace.
• Access control: admin routes require server-side admin access, customer routes use scoped owner/session access, and public widget routes do not return owner access material.
• Paid unlock: Dodo and Razorpay paths activate workspaces only after server-side payment verification.
• Data exports: private bot backup, leads, conversations, owner queue, action queue, and proof report exports exist.
• Abuse and browser safety: public signup/chat/lead/install/feedback routes are rate limited and Worker responses include security headers.
• Storage separation: Durable Objects coordinate writes, D1 stores high-volume ledgers, and private R2 stores large source content server-side.

Not claimed

• Site Rep does not claim SOC 2 Type II, GDPR certification, HIPAA compliance, BAA coverage, DPA availability, zero retention, or no-training-on-data status.
• Site Rep does not claim native OAuth marketplace integrations, full helpdesk replacement, two-way CRM sync, or automated workflow execution.
• Site Rep does not claim guaranteed conversion lift, guaranteed setup time, or enterprise omnichannel coverage.

Needs deeper review before public claims

• Legal review for privacy policy, DPA, BAA, subprocessors, retention windows, deletion fulfillment, and regional data rights.
• Provider review for model retention/training settings, payment processor terms, email processor terms, D1/R2/KV retention, and backup retention.
• Production review for live deploy freshness, Cloudflare dry run, real customer install proof, real-card paid unlock, monitoring, rollback, and incident response.
• Integration review for OAuth scopes, consent screens, provider marketplace approval, audit logs, and rollback-safe ticket or CRM writes.

Release freshness

The machine-readable release marker at /api/public/release-status shows whether the live Worker is the current candidate. It is not a launch-readiness badge; dry-run, deploy, live monitor, payment, and customer install proof are still required.

Data map

• Approved website sources: used to answer visitors with proof; owner can edit, replace, audit, export, and roll back supported snapshots.
• Visitor conversations and feedback: used for owner inbox, proof-gap repair, lead follow-up, and quality checks.
• Lead details: submitted by visitors for human follow-up; exported privately for the owner.
• Payment records: used only to verify checkout, activation, billing portal access, renewals, and plan status.
• Operational events: install checks, source health, quota warnings, notification receipts, and error visibility for reliability work.

Machine-readable status

The structured version of this truth ledger is available at /api/public/trust-status.

Contact

Questions: hello@siterep.net