Last updated: August 2025
This platform sends coaching emails to your engineers. No logins, dashboards, integrations, or SSO.
Every Monday, cron starts 1-on-1 email threads (about SEV-1 prevention) with your engineers. The Rails app receives a webhook when they reply, and sends back the results of a few GPT prompts. That's it.
No customer data. If users type it anyway, the LLC has $1M E&O + $1M Cyber coverage. No SOC 2 yet.
You will receive a pre-signed MSA during the trial period. It includes a required DPA as well.
Liability is capped at 5x the fees paid across your entire contract, even if multi-year. This excludes serious misconduct liability (e.g., IP infringement), which is uncapped as it should be.
Replicate does not support RFP's, redlines, or vendor portals. It's a simple product, sold as-is.
All infra is provisioned/managed by Heroku (in the us-east-1 AWS region, with Heroku's HA failover).
All data is encrypted at rest using AES-256, with a minimum of TLS 1.2 in transit.
Visitor state is not stored. No logins, no Google Analytics, no cookies, no policy for tech that isn't used. When SCIM is released, admins who opt-in will receive a single Ruby on Rails session ID cookie.
Heroku Postgres maintains rolling database backups, and prunes old snapshots automatically over time. Backups can be restored in minutes, and are captured at least once every 24 hours.
Administrative actions (e.g., organization deletions) are logged immutably and retained for 12 months in secure, append-only S3 buckets.
The codebase is continuously scanned using GitHub Dependabot to patch vulnerable libraries. Critical vulnernabilities are patched within 7 days of public disclosure.
PagerDuty maintains a 24/7 oncall schedule. In the event of a confirmed incident, impacted customers will receive a root cause analysis + remediation summary (from security@replicate.info) in 72 hours.
Coaching is delivered by email. No sessions, passwords, or user-managed devices.
SCIM is planned as an optional enhancement for 2026. Administrators currently manage access by emailing personnel changes to support@replicate.info. They will soon be able to login to a secure admin portal (via Auth0 SSO) to manage team members and billing. No user tracking, just logistics.
If you sign up a few weeks beforehand, it will be an opt-in process. GRC and security teams will have as much time as they need to validate + approve/deny the process change.
Engineers get automatically unsubscribed after 3 weeks without replies. The final email includes a link to resume coaching. If they're not into it, the product just fades away until they want it back.
Inactive conversations are automatically deleted after 3 months. That data is used to recreate email history when engineers reply a few weeks later. No AI training. Email support@replicate.info to request immediate deletion. It won't get stuck in a Postgres backup forever.
If the business is ever spun down, you will receive advance notice, full source code, your data, and next steps. Support will remain available during the shutdown window. Current contracts will be fulfilled.
All vendors are GDPR compliant, offer Standard Contractual Clauses (SCCs), and underwent security review prior to onboarding. This is the full list. No other products (e.g., Google Analytics) interact with your data.
Used for infrastructure and encrypted storage. All workloads run in isolated containers with HTTPS enforced and AES-256 encryption at rest.
OpenAI's API powers the real-time content generation for coaching emails. None of your data is persisted by OpenAI. None of it is used to train their models. The prompting is ephemeral.
Used for transactional email delivery. No open/click tracking. No marketing newsletters.
Used for delivering and processing invoices. No auto-renewal. You manually approve every payment.
Terms • Privacy • Billing Terms of Service • Privacy Policy • Billing & Payment Terms