European hosting, end-to-end encryption, GDPR compliance, listed subprocessors. Everything you need to know before trusting Pitchbase with your sales data.
Pitchbase is designed to keep user data inside the European Union. Here is the precise mapping.
Database + Auth
Supabase (PostgreSQL)
Europe region (eu-central-1). Automatic replication, daily 7-day backups, point-in-time recovery.
Application hosting
Render
Node.js Express + WebSocket service, automatic deployment from Git, integrated monitoring.
Audio files
Supabase Storage
Simulation recordings encrypted at rest. Per-user access enforcement (Row Level Security).
Transactional email
IONOS SMTP (Germany)
Servers based in Germany, native GDPR compliance. HMAC-signed unsubscribe links.
In transit
TLS 1.3 on every connection
Strict HTTPS (HSTS), WebSockets in wss://, automatically renewed certificates. No plaintext communication accepted.
At rest
AES-256 on database and files
Encryption managed by Supabase (disks + backups). Passwords: bcrypt with per-user salt (Supabase Auth).
Secrets and API keys
Render environment variables
No API key in source code. Production secrets are mandatory in NODE_ENV=production (server crash if missing).
Signed webhooks
Cryptographic verification
Stripe webhooks verified via mandatory HMAC signature. Unsubscribe tokens signed HMAC SHA-256.
Passwordless sign-in by default
Email magic link or Google OAuth via Supabase Auth. Pitchbase never stores passwords.
Server-side JWT sessions
All protected API routes verify the Supabase JWT. Voice WebSockets are authenticated via query token before HTTP upgrade.
Per-user isolation (anti-IDOR)
All resources (personas, deals, sessions, transcripts) filtered by user_id server-side. No cross-account leak possible.
Field whitelisting (anti-Mass Assignment)
Update routes use an explicit allowlist of writable fields. No arbitrary database writes via request body.
Multi-account and teams
For teams (retail segment, manager + reps), invitation by single-use code. Managers see team aggregates, never full transcripts without consent.
Pitchbase complies with the EU General Data Protection Regulation 2016/679. Here is how.
Roles: Pitchbase acts as data controller for individual accounts (you manage your own data) and as data processor for team subscriptions (your company stays the controller). A Data Processing Agreement (DPA) is available on request for teams.
Legal bases: contract performance (account creation, simulations), legitimate interest (anonymized analytics), explicit consent (marketing emails).
Your rights: access, rectification, deletion, portability, objection, restriction. Exercise them by emailing hello@pitchbase.app. Reply within 30 days, in practice within 7 business days.
Account deletion: from your Account page, or by email. Effective deletion within 7 days (database + backups purge), unless legal retention applies (billing: 10 years).
Breach notification: in the event of a data breach affecting your personal information, you will be notified by email within 72 hours, in line with GDPR Article 34.
Pitchbase relies on technical subprocessors for generative AI and voice processing. None of them uses your data to train their models.
| Subprocessor | Role | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, auth, storage | EU (Frankfurt) | Signed DPA, ISO 27001, SOC 2 |
| Render | Application hosting | EU / US | DPA, SOC 2 Type II |
| OpenAI | LLM (AI reasoning) | US | Zero-retention API, no training |
| Deepgram | Speech recognition (STT) | US | Ephemeral processing, no audio storage |
| Cartesia | Voice synthesis (TTS) | US | No training on generated outputs |
| Stripe | Payment | EU (Ireland) / US | PCI DSS Level 1, BCR validated by CNIL |
| IONOS | Transactional email | EU (Germany) | BSI C5-certified hoster |
| Google (Analytics, Ads) | Audience measurement | US | IP anonymized, Consent Mode v2 compliant |
Transfers to US-based subprocessors rely on the European Commission's Standard Contractual Clauses (SCC 2021), supplemented by the EU-US Data Privacy Framework when certification is in place.
Personas, deals, transcripts: kept while your account is active. You can delete each resource individually at any time from the interface.
Audio recordings: optional (Pro and Elite plans only). Individual deletion supported. Automatic deletion 90 days after subscription ends.
Technical logs: kept 30 days for debugging and security, then anonymized.
Billing data: kept 10 years (French legal requirement).
Account deletion: full purge of personal and production data within 7 days, backups within 30 days. Email confirmation sent.
HTTP headers
Helmet (CSP, HSTS, X-Frame)
Strict Content Security Policy (explicit CDN allowlist). Forced HSTS. X-Frame-Options DENY (clickjacking protection).
Rate limiting
3 levels by sensitivity
Global 100 req/15min, sensitive (payment, email, contact) 20 req/15min, expensive (AI) 10 req/15min.
Anti-XSS
Systematic HTML escaping
All dynamic content runs through a client-side escaper before DOM insertion. No uncontrolled HTML injection.
Upload validation
MIME type + ownership check
Audio uploads only (MIME audio/*), session UUID validation, user_id check, path traversal protection.
Strict CORS
Production: pitchbase.app only
In NODE_ENV=production, only pitchbase.app and www.pitchbase.app are allowed to call the API.
Updates
Weekly npm audit
CVE monitoring (npm audit + GitHub Dependabot), security patches applied within 72 hours for CVSS above 7.
If you discover a security flaw in Pitchbase, please report it privately before any public disclosure. We commit to:
Contact: hello@pitchbase.app (subject "Security vulnerability").
Page last updated: April 2026.
Data hosted in Europe, GDPR-native, end-to-end encryption. Free plan, 3 simulations per month, no credit card required.
Start freeOr book a demo for teams.