— Surface 05 · Privacy & data residency · CISO-ready

What stays. What crosses.

The slide every grocer's CISO asks for. Real-time inventory, loyalty IDs, store pricing, vector embeddings — all in the grocer's tenant. Only product-level intelligence queries cross to Delectable SaaS, with an opaque shopper handle plus consent scopes. Walk this with the CISO in the discovery workshop — most legal teams sign off in 30 minutes.

What stays in the grocer's tenantCustomer GCP project

  • Real-time inventory · BigQuery, per-store partitions
  • Loyalty IDs + transaction history · Cloud SQL · never leaves
  • Store-level pricing + promo rules · BigQuery + pricing rule engine
  • Vector embeddings of catalog · pgvector + Vertex Vector Search
  • PII (names, addresses, payment methods) · Cloud SQL · encrypted at rest with CMEK
  • Shopper session state · Memorystore Redis · cleared per session
  • Logs, traces, audit trail · Cloud Logging · retention per grocer policy
  • Catalog enrichment outputs · BigQuery + GCS · grocer's data, grocer's bucket
A2A boundary

What crosses to Delectable SaaSMulti-tenant SaaS via A2A callback

  • Product intelligence queries — "vegan substitute for SKU X?"
  • Mission classification — "treat this as a weekly stock-up"
  • Recipe / meal-plan generation — ingredient-list to plan
  • Opaque shopper handlesha256(loyalty_id + tenant_salt)
  • Consent scopes — declared by grocer, signed JWT
  • Dietary preferences — only if explicitly scoped in consent
✕ Never crosses: raw PII, payment data, transaction history, store-level analytics, anything not strictly required for the query.
— Why this design

Hybrid-tenant is the architecture grocers approve in 30 days.

01

Data residency

Every byte of grocer + shopper data sits in the grocer's chosen GCP region. Multi-region or in-region — their call. CMEK-encryptable.

02

SOC 2 Type II

Delectable's controls are audited annually. Letter available under NDA. Grocer's CISO gets the executive summary in the workshop.

03

Zero-trust by design

The gateway never opens an outbound connection to Delectable that isn't authenticated, scoped, and audited. A2A protocol enforces it.

Walk this with the grocer's CISO. Deal moves.

Most grocers' security review process expects 6-9 months on an AI vendor. Walking this diagram in the discovery workshop has historically compressed it to under 30 days. Bring the SOC 2 Type II report; offer the customer's CISO a direct line to the Delectable security lead.

↪ Need the wire-level integration topology? The Delectable integration flows interactive shows every connector — PIM, loyalty, OMS, payments, plus Azure / AWS / Databricks bridges — and exactly which payloads cross the tenant boundary.

→ Co-sell playbook