01Entity & Jurisdiction
| Legal Entity | Routbox Inc. |
|---|---|
| Entity Type | C Corporation |
| State of Incorporation | Delaware, United States |
| Operating Jurisdiction | United States |
| Installation Partner | Wiztec LLC (California) · CA Lic. 1149874 |
| Tax Residency | United States |
| Foreign Ownership | None |
Routbox Inc. is a US-domiciled, US-operated company. There is no foreign ownership and no offshore parent or holding structure. All commercial contracting is performed by the Delaware entity.
02Data Residency
Customer data is processed and stored in the United States. All infrastructure providers we use are US-domiciled with US-region storage selected by default:
| Component | Provider | Region |
|---|---|---|
| Application database | Supabase (Postgres) | US (AWS us-east) |
| Web hosting / edge | Vercel · Cloudflare | Global edge, US origin |
| Payment processing | Stripe | US |
| Transactional email | Resend | US |
| Error monitoring | Sentry | US |
| AI inference (where used) | Anthropic (Claude API) | US |
Cynact deployments: Building automation telemetry is processed on-premises at the customer site via the local edge node. Only aggregated state and configuration data is transmitted to our US cloud. We do not store continuous raw video.
03Hardware Supply Chain
For Cynact deployments, we standardize on US-manufactured industrial hardware to support customers with NDAA Section 889, TAA, and Buy American requirements:
- Edge compute: Protectli, OnLogic — US-manufactured fanless industrial systems
- Sensor / automation nodes: Apollo Automation — US-assembled, open-firmware presence and environmental sensors
- Networking: US-sourced switches and firewalls with NDAA-compliant supply chain
We avoid components from entities listed under NDAA Section 889 (Huawei, ZTE, Hytera, Hikvision, Dahua) across cameras, networking, and AV equipment used in deployments.
04Regulatory Posture
| Regulation | Status | Notes |
|---|---|---|
| NDAA Section 889 (covered telecom) | Compliant by design | No prohibited vendors in supply chain |
| TAA (Trade Agreements Act) | Compliant for hardware stack | US-manufactured components only |
| CCPA / CPRA (California) | Compliant | See Privacy Policy |
| GDPR (EU/UK) | Compliant — SCCs in place | Standard Contractual Clauses with sub-processors |
| EU AI Act (transparency) | Aligned | Effective Aug 2026 requirements addressed |
| Section 508 / WCAG 2.1 AA | In progress | Accessibility audit Q3 2026 |
05Certifications & Frameworks
| SOC 2 Type II | Program in progress · Target: Q4 2026 |
|---|---|
| NIST Cybersecurity Framework (CSF) | Aligned · Internal controls mapped |
| ISO 27001 | Roadmap · 2027 |
| HIPAA | Not required today · Available on request for healthcare deployments |
| PCI DSS | Out of scope · Payments handled by Stripe (Level 1 PCI DSS certified) |
06Security Practices
- Encryption in transit: TLS 1.3 enforced on all customer-facing endpoints
- Encryption at rest: AES-256 for database and backup storage
- Row-Level Security (RLS) for strict tenant isolation
- Multi-factor authentication (MFA) required for all administrative access
- Cloudflare Zero Trust network access for internal services
- Automated monitoring, alerting, and incident response runbooks
- Annual penetration testing (commencing Q3 2026 alongside SOC 2 program)
- Local-first architecture: building automation data is processed on the customer's premises by default — minimizing data exposure
07Procurement Documents
For evaluation by procurement, security, and legal teams:
- Privacy Policy — routbox.com/privacy
- Master Service Agreement (MSA) template — available on request
- Data Processing Agreement (DPA) — available on request
- Sub-processor list — see Section 02 above; full list maintained on request
- SOC 2 readiness letter — available on request
- Insurance certificates — Cyber, E&O, General Liability available on request
Procurement contact: compliance@routbox.com · Response within 5 business days for standard RFPs and security questionnaires (SIG, CAIQ, custom).