When you hire a vendor to handle your outreach, manage your customer data, or run automations on your behalf, you're giving them access to something that matters: your business relationships. A breach, a misconfiguration, or a dependency vulnerability in their stack doesn't just expose data — it can expose your customers' information and, depending on your industry, create real liability.
The LiteLLM vulnerability that surfaced in 2024 is a good example of how this works in practice. LiteLLM is a widely-used open-source proxy layer that routes requests between applications and AI models. A flaw in how it handled dependencies allowed attackers to access sensitive data passing through it — including API keys and customer information. Many of the businesses affected had no idea the tool was even part of their stack. It was a dependency of a dependency.
What this means if you use AI vendors
You don't need to understand the technical details of dependency management to ask the right questions. If you're evaluating any AI vendor — for outreach, customer service, scheduling, or anything else that touches customer data — here's what to ask:
- Where does my data go? Which third-party services does the vendor's system talk to? OpenAI, Google, AWS — these are common and generally fine. But if they can't tell you, that's a problem.
- Is data stored, and for how long? Some tools log every API call including message content. Others process and discard. Know which you're dealing with.
- What happens if there's a breach? Do they have a disclosure policy? Have they had incidents before? How did they handle it?
- Do they update their stack regularly? Unpatched dependencies are the most common attack surface. A vendor running on outdated libraries is a liability.
What responsible vendors do differently
Vendors who take this seriously will be able to answer those questions without hesitation. They'll have an answer for what data they store and where. They'll run on updated infrastructure. They'll use encrypted connections for everything. They won't log customer email content or PII beyond what's operationally necessary.
This isn't about being paranoid — most small business outreach isn't high-stakes from a data sensitivity standpoint. But it is about not handing your customer relationships to a vendor who hasn't thought about this at all.
The minimum bar for any outreach tool
At minimum, any tool that sends email on your behalf should: use HTTPS for all connections, not store email body content beyond what's needed for tracking, honor opt-outs immediately, and be able to export your data on request. These aren't advanced requirements — they're table stakes.
If you want to know exactly how Powell Up handles this — what's stored, what's not, and how customer data is treated — that's a normal question to ask before you sign up. Book a call and we'll walk through it.