How we handle your data, who touches it, and how to reach us.
We are early-stage and we will not pretend to a SOC 2 certificate we do not yet hold. This page lays out the controls we run today, the sub-processors we depend on, and the security commitments we are comfortable making in writing.
Authentication & access
- Users authenticate with Clerk (email magic link, OAuth, or password). Clerk is SOC 2 Type II certified.
- API keys are issued from
/settings/api-keys, shown once at creation, and stored at rest as a SHA-256 hash. We cannot recover a lost key. - Every privileged action passes through a Bearer-token check in
web/src/lib/api-auth.tswith rate limiting on the same path (see ADR-006).
Data we collect
- Account data. Email address, name, company profile, hashed API keys, billing identifiers from Stripe.
- Release data. Press release drafts, polished output, editorial scores and issues, distribution logs, webhook delivery logs.
- Operational telemetry. Sentry error and performance traces (no PII in tags by default), BetterStack uptime checks, structured logs (no API keys, no full request bodies for write paths).
Sub-processors
| Sub-processor | Purpose | Region / certification |
|---|---|---|
| Clerk | Authentication, session management | US (SOC 2 Type II) |
| Stripe | Payments, billing, checkout | US (PCI DSS Level 1) |
| Neon | Postgres database | US-East |
| Upstash | Rate-limit state (Redis REST) | US-East |
| Cloudflare R2 | Media file storage | Global, US-default |
| Google (Vertex / Gemini) | Editorial LLM provider | US (no training on customer data) |
| Sentry | Error and performance telemetry | US |
| BetterStack | Uptime monitoring + status page | EU |
| Railway | Application hosting | US-East |
| EIN Presswire | Wire syndication (downstream) | US |
We notify customers in writing before adding a new sub-processor that materially changes how customer data is handled.
Where data lives
- Primary application data: Neon Postgres, US-East region.
- Media uploads: Cloudflare R2, multi-region with US-default presentment.
- Backups: Neon point-in-time recovery (7-day window on the current plan).
Data retention & deletion
- Released press releases are intentionally permanent — they are archived publicly under
/newsroom/{slug}and indexed by search engines and AI crawlers. - Drafts, account data, and webhook logs are deleted within 30 days of an account-deletion request.
- Stripe transaction records are retained per Stripe's own policy and US tax-record requirements.
- To request export or deletion, email hello@pitchwire.ai with the subject line “DSAR”.
LLM provider data handling
Editorial polish and review call Google Gemini through the Google AI Studio API (LiteLLM-routed). We use the paid tier so that customer release content is not used for model training under Google's current terms; we recheck this commitment whenever Google updates its policy. We send only the release content needed for the requested operation; we do not pass API keys, billing identifiers, or end-user account metadata into LLM prompts.
Reporting a security issue
If you think you have found a vulnerability, email hello@pitchwire.ai with the subject line “Security report” and reproduction steps. We acknowledge within one business day and aim to ship a fix within 14 days for any issue we accept. We do not currently run a paid bug bounty. (Dedicated security@ and privacy@ aliases are on the roadmap.)