Trust

Security at AgencyPitch

Your proposals contain client names, pricing, and competitive strategy. Here's how we keep that locked down.

Last updated: May 2026

Encryption

  • In transit: All connections use TLS 1.3. HTTP redirects to HTTPS. HSTS preload enabled.
  • At rest: Firestore data is encrypted with AES-256 by Google Cloud. Storage objects (logos, attachments) are encrypted with the same standard.
  • Secrets: API keys for AI providers, Razorpay, and Resend are stored as encrypted environment variables in Vercel. Firebase Admin SDK private keys never touch the client bundle.

Authentication

  • Email/password authentication uses Firebase Auth with bcrypt-hashed passwords.
  • Google Sign-In via OAuth 2.0.
  • Server sessions are JWT-based, signed by the Firebase Admin SDK, stored in HTTP-only secure cookies with 14-day expiry and sliding renewal.
  • Two-factor authentication is on the roadmap (priority for Pro tier).

Data isolation

  • Every Firestore read/write goes through security rules that enforce per-agency access. An agency can never read another agency’s proposals, even if they guess the document ID.
  • Public proposal pages (/p/[publicId]) use 12-character nanoid IDs (cryptographically random, ~71 bits of entropy). Unguessable.
  • Server-side API routes verify the session cookie before any data access. Unauthenticated requests get 401.

Infrastructure

  • Hosting: Vercel (web app) + Railway (PDF microservice). Both are SOC 2 Type II compliant.
  • Database: Google Firestore (us-central1). SOC 2 Type II + ISO 27001 + GDPR compliant.
  • Storage: Firebase Storage with signed-URL access for non-public files.
  • CDN: Vercel Edge Network with automatic DDoS protection.

AI provider security

Proposal content is processed by Anthropic Claude and Google Gemini for generation. Both providers contractually agree:

  • Inputs are not used to train models.
  • Inputs are retained only as long as needed to return a response (typically <30 days for abuse monitoring).
  • SOC 2 compliance and equivalent enterprise security controls.

If you have stricter requirements, contact us about Enterprise plans where we can route AI calls through a private cloud deployment (BYOK).

Payments

We use Razorpay (PCI DSS Level 1) to process payments. Card numbers, CVVs, and full payment data are never stored on AgencyPitch servers — Razorpay handles the entire payment flow via their PCI-scoped environment.

Backups + disaster recovery

  • Firestore: automated daily backups retained 30 days.
  • Recovery point objective (RPO): 24 hours.
  • Recovery time objective (RTO): 4 hours.
  • Tested quarterly via partial restore drills.

Access controls

  • Production database access is limited to a small set of named engineers.
  • All access is logged and reviewed monthly.
  • No production access on personal devices.
  • Customer support staff don’t have direct database access — they request data via tooling that audits every read.

Incident response

If we detect or suspect a security incident:

  1. We isolate the affected systems immediately.
  2. We investigate root cause and impact.
  3. We notify affected customers within 72 hours of confirmed personal-data exposure (GDPR / DPDP standard).
  4. We publish a post-mortem on this page within 14 days.

Responsible disclosure

If you find a security vulnerability, email security@agencypitch.io. We respond within 24 hours, fix critical issues within 7 days, and publicly credit reporters who follow responsible disclosure (no public announcement until fixed).

We don’t currently run a paid bug bounty but pay swag + PR credit for valid reports.

Compliance roadmap

  • SOC 2 Type I — targeting Q3 2026.
  • ISO 27001 — under evaluation for late 2026.
  • HIPAA / FedRAMP — not on roadmap; AgencyPitch is for marketing agencies, not health/government.

Need our security questionnaire (CAIQ, SIG, custom)? Email security@agencypitch.io. We have answers ready.