Customer Data Security · Briefing TURBO.

Customer Data Security at Turbo:
Mitigation Architecture for Chief

Prepared for Shannon Beckham · CEO, Chief AI
From Jeremy Topp, CEO @ Turbo · 2026-04-25

Your concern, stated plainly

Chief's customer data — mayors, sitting CEOs, congressional pilots — is insider-trading-sensitive. Your bar from our Apr 21 conversation: scoped engineer access, at least one named US citizen accountable for any production data work, and a story you can defensibly tell your customers. Reasonable, and exactly the posture we already run for several clients with regulated or market-sensitive data. We don't gate this on hiring a US engineer for your squad — the architecture below removes the need.

Three layers, used as a stack

Architectural separation — the actual solve

Production data never leaves the environment you control. The engineering squad works in an isolated dev environment against synthetic / scrubbed datasets generated from your schema.

Read-only repo access by default; no database query rights.
No exfiltration paths — no downloads, VPN-gated, fully audit-logged.
Every commit PR-reviewed by a US-citizen Turbo principal before it touches anything prod-adjacent.
Deployment gated through you. We do not deploy to your production ourselves.
Same architecture we run for fintech, healthtech, insurance, and edtech clients with sensitive data — institutional pattern, not bespoke.

Foundational

US-citizen accountability tier

The named US-citizen accountable party for any production data work is on the contract, on paper, with logged accountability.

Jeremy Topp (US citizen, US Naval Officer, founder) named on the MSA as the US-citizen accountable party for any production data access.
Cami Vargas (lawful permanent resident / green card) — covered under US insider-trading and export-control regimes.
Turbo, Inc. is a Delaware C-corp. US legal accountability for any breach.
If real-data debugging is ever required, Jeremy is the only one with prod access — logged, time-bounded, and only with your explicit go-ahead per incident.

Named on contract

Personnel + legal armor

Every PM and engineer on a Turbo squad is screened, vetted, and individually contracted with personal access requirements baked in.

Five-layer screening on every hire: CV agent, behavioral screen (Ethan), technical homework, skills assessment with our CTO (Adolfo), soft-skills + culture call (Cami) — followed by references and background checks.
Vanta cybersecurity screening being added as an additional layer (in process).
Every PM and engineer signs a per-individual NDA with personal access requirements institutionalized in their employment contract — not just an entity-level NDA.
Active commercial general liability + cyber-relevant coverage in force (Hartford-backed BOP via NEXT, $1M / $2M aggregate). COI available on request.
Indemnification language specific to data misuse can be added to the MSA.

Per-individual

What this means for Chief, specifically

The two tier-1 customers you flagged — the Mayor of Denver and the CEO of Dow Jones — are protected by design: none of their customer-record data ever reaches a non-US engineer. Your Congressional pilots clearing security review get the same posture, with Jeremy as the named US-citizen point of contact for any auditor on your side.

Bug fixes and feature work happen against scrubbed data we generate from your schema. We never query your prod DB.
Production deployment stays with you. We hand you tested, reviewed code; you ship it.
One contractually named US-citizen owner for any real-data exception path. Logged, time-bounded, your call.
Defensible story to your customers: "No foreign national has accessed your data. Our US-citizen point of contact is on the contract and is the only person with production access."

How we get started

Engagement · First two weeks

Standard Turbo squad — security architecture wired in from day one