Security

How we protect your data, your sender reputation, and your customer relationships.

🇨🇦 Canadian-hosted 🔐 Encrypted at rest + in transit ✅ CASL compliant ✅ CAN-SPAM compliant ✅ GDPR ready 🔒 SOC 2 sub-processors only

Infrastructure

The Pitch2Retail platform runs on DigitalOcean's Toronto region, the same data centre used by Canadian government agencies and fintech companies. All app traffic is HTTPS-only via Caddy with auto-renewing TLS certificates. Database is NocoDB on a private VPC behind a firewall — no public DB access.

Encryption

In transit: TLS 1.3 between you and our servers; TLS between our servers and every sub-processor
At rest: Database volume is encrypted (AES-256) at the DigitalOcean infrastructure layer
Sensitive fields encrypted in DB: all OAuth tokens, Resend API keys, Apollo API keys, Shopify webhook secrets — encrypted via AES-256-GCM with a per-field IV
Passwords: bcrypt hash, cost factor 10. We literally cannot read your password.
Cards: never touch our servers. Stripe Checkout handles card capture in their PCI-DSS-compliant flow.

Access controls

Tenant isolation

Every API endpoint is scoped to a client_id derived from the JWT. You cannot read or modify another tenant's data, period.

Email masking

Verified contact emails are hidden in the UI (j****@thekeg.com) until you actually send to them — protecting the contact pool from extraction.

JWT auth

Sessions use HS256-signed JWTs with 7-day expiry. Logout invalidates client-side; we don't keep server sessions.

Internal access

Only the founding team can access infrastructure. Production access requires SSH key + 2FA.

Compliance

CASL (Canadian Anti-Spam Legislation)

Every email sent through Pitch2Retail:

Identifies the sender (your brand, your real address) — required by s.6(2)
Includes a one-click unsubscribe link — required by s.6(2)(c)
Sends only under B2B implied consent (s.10(9)) — only to business email addresses, only relevant to the recipient's role
Recipients who unsubscribe are added to a permanent platform-wide suppression list — no future client can contact them

CAN-SPAM (US)

Truthful "From" / "Reply-To" / "Subject" — your brand, no misleading framing
Physical postal address required in every email footer (you provide yours during onboarding)
Unsubscribe processed within 10 business days (we do it instantly)

GDPR / UK GDPR

Lawful basis: legitimate interest (B2B sales) under Art. 6(1)(f), with mandatory unsubscribe
Data Processing Agreement (DPA) available on request — email hello@pitch2retail.com
Data subject rights honoured within 30 days (export, correction, deletion)

FDA / NHPD (supplements + health products)

Every pitch is auto-scanned by our compliance lint for banned health-claim phrases ("cures", "FDA approved", "treats anxiety", etc.). High-severity warnings block the send automatically. You set your brand category in Settings to apply the right rule pack.

Email deliverability protections

Default rate limit: 200 sends/day/account (configurable up on Growth+)
Auto-pause if bounce rate exceeds 5%
Suppression list is checked on every send (no exceptions)
DKIM/SPF/DMARC auto-provisioning when you connect your own domain
Sends go through your own connected email provider (Gmail / Outlook / your domain via Resend) — your IP, your reputation

Sub-processors

See the privacy page for the full list. All major sub-processors (Stripe, Anthropic, Resend) are SOC 2 Type II certified.

Reporting a vulnerability

If you find a security issue, please email security@pitch2retail.com with details. We respond within 48 hours and offer a bounty up to $500 CAD for valid reports.

Need a SOC 2 report or DPA? Email hello@pitch2retail.com — we handle these within 5 business days for paid plans.