Back to home

Security

An honest overview of how we protect your data. No overclaiming — just what we actually do.

Infrastructure

Pitch|Parse runs on Supabase-hosted PostgreSQL. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database backups are automated and encrypted. Our application server runs in a containerized environment with no direct database access from the public internet.

Authentication

User authentication is handled by Supabase Auth. Passwords are hashed using bcrypt before storage — we never store plaintext passwords. Sessions use short-lived JWT tokens with automatic refresh. Rate limiting is enforced on login and signup endpoints to prevent brute-force attacks.

Data Isolation

Every database query is scoped to your organization using PostgreSQL Row Level Security (RLS) policies. This means your data is isolated at the database level — not just the application level. One organization cannot access another's transcripts, analyses, or reports, even if a bug exists in the application code.

Payment Security

All payment processing is handled by Stripe, which is PCI DSS Level 1 compliant. We never see, store, or process your credit card numbers. Payment information goes directly from your browser to Stripe's servers.

API Security

  • Rate limiting: Authentication endpoints are rate-limited (5 signups/min, 10 logins/min) to prevent abuse.
  • CORS: Cross-origin requests are restricted to allowed origins only.
  • Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers are set on all responses.
  • Input validation: All API inputs are validated using Pydantic models before processing.

Data Processing

When you submit a call for analysis, transcript content is sent to Anthropic's Claude API for scoring and coaching generation. If you upload audio, it is sent to Deepgram for transcription. Both processors handle data under strict data processing agreements and do not use your data for model training.

Transcripts are treated as data, not instructions — we maintain separation between user content and system prompts to mitigate prompt injection risks.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. Contact us at security@pitchparse.com. We will acknowledge your report within 48 hours and work with you to understand and address the issue.

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.

Questions?

For security-related inquiries, reach out to security@pitchparse.com. For general data privacy questions, see our Privacy Policy.