When a business pays for an AI agent, they are trusting a company with their customer conversations, their lead data, and their brand reputation. This paper examines the infrastructure standards that small AI service companies can adopt to build that trust, using tools that are affordable, well-documented, and transparent enough for clients to verify. The entire enterprise-grade stack costs under $50/month.
A fitness studio owner is evaluating two AI chatbot providers. One sends a polished sales deck. The other sends a link to their public changelog, their database provider's security page, and their deployment pipeline documentation. The studio owner does not understand half of it. But she can see that the second company operates in the open. She signs with them. Trust is not a feeling. It is evidence.
The Trust Problem
When a business pays for an AI agent on their website, they are not just buying software. They are trusting a company with their customer conversations, their lead data, and their brand reputation. The agent speaks on their behalf. If it goes down, their website looks broken. If it gives wrong information, their customers lose confidence.
For small AI service companies, the challenge is not building the technology. The technology works. The challenge is proving to clients that their data is safe, their agent will stay online, and the company behind it operates with the same discipline as the enterprise tools they are replacing.
The Stack That Clients Can Verify
The most effective trust signal for a small AI company is not a sales pitch. It is a stack that clients can independently verify. When a client can look up your database provider, your hosting platform, and your deployment pipeline and confirm that each one is a recognized, audited service, trust is earned without a conversation.
Database: Supabase (PostgreSQL)
Supabase is an open-source database platform built on PostgreSQL, a widely deployed relational database in production systems worldwide. PostgreSQL has been in active development since 1986 as part of the POSTGRES project at UC Berkeley and powers companies including Apple, Instagram, and Spotify1.
Row-Level Security (RLS). Every query is filtered by policy before execution. A client's data is invisible to other clients at the database level, not just the application level2. This is the same isolation model used by enterprise SaaS platforms.
Point-in-Time Recovery. Supabase provides continuous backups with the ability to restore to any point in time3. If a bad deployment corrupts data, the database can be rolled back without losing other clients' information.
SOC 2 Type II Compliance. Supabase has completed SOC 2 Type II certification, meaning an independent auditor has verified their security controls over an extended period. Supabase undergoes SOC 2 audits yearly to verify that its data management practices comply with the Trust Services Criteria2.
Open Source. The entire Supabase platform is open source2. Clients or their technical advisors can inspect the code that manages their data. There is no black box.
Hosting: Vercel
Vercel is the deployment platform built by the creators of Next.js, a React framework used by companies including Walmart, Nike, and TikTok4.
Automatic deployments. Every push to the main branch triggers a build, runs checks, and deploys to production. There is no manual step where a developer drags files to a server. The deployment is auditable through git history.
Preview deployments. Every pull request generates a unique URL where changes can be reviewed before they reach production. Clients can be invited to preview changes to their agent before they go live.
Edge network. Vercel serves from multiple edge locations globally5. Response times for the chat widget are consistently under 100ms regardless of the visitor's location.
Uptime. Vercel reports a high uptime SLA on their Pro tier12. For a client whose chatbot handles after-hours inquiries, uptime is directly tied to revenue.
DNS and Security: Cloudflare
Cloudflare provides DNS, DDoS protection, and email routing. Over 20% of all websites use Cloudflare for DNS6.
SSL/TLS encryption. All traffic between visitors and the chatbot is encrypted. Cloudflare manages certificate provisioning and renewal automatically.
Email routing. Professional email addresses route to a central inbox without requiring a paid email provider.
DDoS protection. If a competitor or bad actor attempts to take down a client's chatbot, Cloudflare absorbs the traffic before it reaches the application. Cloudflare provides unmetered DDoS protection across layers 3, 4, and 7 on all plans10.
Version Control: GitHub
GitHub is the industry standard for source code management, used by over 100 million developers7.
Complete audit trail. Every change to every file is recorded with a timestamp, author, and description. If a client asks “what changed on my agent last week,” the answer is in the git log.
Branch protection. The main branch can be protected so that changes require review before merging. This prevents accidental deployments of untested code.
Automated testing. GitHub Actions can run tests on every push, ensuring that changes to one client's agent do not break another client's service.
Version Management for AI Agents
AI agents present a unique versioning challenge. Traditional software has one codebase. An AI agent has three layers that change independently: the platform (frontend, API routes, dashboard, widget), the model (which AI provider, which model version, what parameters), and the knowledge base (scraped content, business-specific data). Each layer needs its own versioning strategy.
Platform Versioning
The platform follows semantic versioning (SemVer)8: MAJOR.MINOR.PATCH. Major changes break backward compatibility, minor changes add functionality, patch changes fix bugs or polish. Every change is recorded in a changelog table in the database with a category, description, and timestamp. This changelog is publicly visible on the website. Clients can see exactly what is improving and when.
Agent Versioning
Each agent prompt version is stored as a separate record in the database. When a prompt is updated, a new version is created. The old version is never deleted or overwritten. Any client can be rolled back to a previous agent version instantly, A/B testing between prompt versions is possible, and the exact prompt that generated any historical conversation can be retrieved.
Knowledge Base Versioning
Every time a client's website is re-scraped, the new content is stored alongside a hash of the previous version. If the new scrape produces worse agent responses, the previous knowledge base can be restored.
The Cost of Transparency
One objection to this level of infrastructure discipline is cost. But enterprise-grade tools have become remarkably accessible. The entire stack described in this paper is available at a fraction of what equivalent infrastructure cost five years ago.
| Service | What It Provides | Monthly Cost | Compliance |
|---|---|---|---|
| Supabase | Database, auth, backups, row-level security | Free tier / $25 Pro | SOC 2 Type II |
| Vercel | Hosting, preview deployments, edge network | Free tier / $20 Pro | SOC 2 Type II, ISO 27001 |
| Cloudflare | DNS, SSL, email routing, DDoS protection | Free | SOC 2 Type II, ISO 27001 |
| GitHub | Version control, CI/CD, audit trail | Free tier / $4 Pro | SOC 2 Type II |
| OpenAI API | AI model responses | ~$1 (usage-based) | SOC 2 Type II |
| Total | < $50/mo |
Pricing based on vendor public pricing pages as of March 2026. Costs vary by usage. Free tiers are subject to vendor-defined limits3.
Every service in this stack is independently auditable. Clients can verify each provider's security certifications, uptime records, and compliance standards without relying on our word alone.
Potential Risks and Limitations
While the proposed infrastructure standards can help build client trust, there are potential risks and limitations to consider.
Scalability challenges. As the number of clients grows, the infrastructure may need to be scaled up to handle increased traffic and data storage.
Alternative tools. Other tools and services may be available that can provide similar functionality at a lower cost or with greater flexibility.
Security threats. Despite the use of secure protocols and encryption, there is always a risk of security breaches or data leaks.
To mitigate these risks, it is essential to regularly review and update the infrastructure, monitor performance and security, and consider alternative tools and services as they become available.
What Clients Should Ask Their AI Provider
Any business evaluating an AI chatbot service should ask these five questions.
Where is my data stored?
The answer should name a specific provider with a security page you can visit.
What happens if the service goes down?
The answer should reference an uptime SLA and a status page.
Can I see what changed on my agent?
The answer should point to a changelog or version history.
How do you prevent one client's data from leaking to another?
The answer should reference row-level security2 or equivalent database isolation.
What happens to my data if I cancel?
The answer should specify a retention period and deletion process.
If the provider cannot answer these questions with specifics, the client's data is not being handled with the care it deserves.
Conclusion
Small AI service companies do not need to build their own infrastructure to earn client trust. They need to choose infrastructure that is transparent, auditable, and well-documented. Supabase, Vercel, Cloudflare, and GitHub provide enterprise-grade capabilities at startup-friendly prices. The discipline is not in the tools. It is in using them correctly: versioning every change, backing up every database, protecting every branch, and making the changelog public.
If you are evaluating AI service providers, ask for specifics. If the answers are vague, the infrastructure probably is too. The companies that will win in AI services are not the ones with the most advanced models. They are the ones whose clients sleep well knowing their data is handled properly.
Methodology
This paper documents the infrastructure stack used by Polylogic AI as of March 2026, with cost and security claims verified against vendor documentation and public pricing pages. All compliance certifications referenced (SOC 2 Type II, ISO 27001) were confirmed through official vendor security pages. Pricing data reflects published free and Pro tier rates at the time of writing.
Vendor Disclosure
Polylogic AI is a paying customer of Supabase, Vercel, Cloudflare, GitHub, and OpenAI. This paper describes our production infrastructure and is based on publicly available vendor documentation and pricing. We have no affiliate, sponsorship, or referral relationship with any vendor mentioned. All claims about security certifications, pricing tiers, and platform capabilities are sourced from each vendor's official documentation as cited below.
Sources
- PostgreSQL Global Development Group. “About.” postgresql.org/about
- Supabase. “Security.” supabase.com/security
- Supabase. “Pricing.” supabase.com/pricing
- Vercel. “Customers.” vercel.com/customers
- Vercel. “Infrastructure.” vercel.com/docs/infrastructure
- W3Techs. “Usage Statistics of Cloudflare.” w3techs.com/technologies/details/cn-cloudflare
- GitHub. “About.” github.com/about
- Preston-Werner, T. “Semantic Versioning 2.0.0.” semver.org
- AICPA. “SOC 2 - SOC for Service Organizations: Trust Services Criteria.” aicpa-cima.com/topic/audit-assurance
- Cloudflare. “DDoS Protection and Mitigation.” cloudflare.com/ddos
- Supabase. “SOC 2 Compliance.” supabase.com/docs/guides/security/soc-2-compliance
- Vercel. “Security and Compliance.” vercel.com/docs/security