Trust & Security
Built for high-stakes documents
PitchStation handles investor decks, board materials, and filing-derived content. Here's exactly how access, identity, data, and AI processing work — including what we don't do yet.
✓ available today · ◷ on the roadmap
🔑Access control
- Three access modes — public link, signed-in accounts only, or named recipients with individual magic links.
- Per-document allowlists — restrict an account-mode share to specific usernames.
- Passwords — optional per share, hashed with bcrypt; never stored in plaintext.
- Expiry & view caps — links can auto-expire by date or after N opens.
- Instant revocation — kill any link immediately; forwarded copies die with it.
🪪Viewer identity & provenance
- Optional or required identity gate — ask viewers who they are before they read.
- Verified vs. unverified — signed-in viewers are captured as verified identity; self-reported names are clearly marked unverified everywhere they appear.
- Watermarking — stamp the viewer's identity and a timestamp across the document.
- Controlled forwarding — when you allow it, viewers forward with their own tracked link that inherits your password/expiry and rolls up to your analytics; revoking yours revokes the whole chain. Provenance ("shared by you · forwarded by X") travels with the document.
📝Version control
- Three deliberate update actions — replace silently (typo fixes), replace & announce (returning viewers get an "updated since you read it" banner), or revoke & reissue (the old version goes dead, with an optional withdrawn notice).
- Version-aware analytics — see who has and hasn't seen the latest revision.
- Superseded versions are archived for owner reference.
🔐Account security
- Two-factor authentication — TOTP with QR enrolment and one-time recovery codes.
- Session revocation — changing a password or disabling an account invalidates all existing sessions immediately.
- Brute-force protection — per-user lockout on repeated failures; rate limiting on auth and unlock endpoints.
- Social sign-in — Google/GitHub/Apple via Firebase, with an optional email-domain allowlist.
- Personal access tokens for API/automation, hashed (SHA-256) at rest and individually revocable.
🧾Auditing
- Per-open log — time, viewer, language, and device for every document open.
- Auth event log — logins, failures, lockouts, password changes, 2FA resets, and admin actions on users.
- Access log — authenticated API activity across the instance.
- Admin console — user management with self-protection, 2FA reset for locked-out users, and cleanup (tokens + links revoked) on account deletion.
🗄️Data & AI processing
- Self-hostable — run the entire platform on your own infrastructure (Docker); your documents and database stay on your disk.
- Source material — when you generate from a repo or path, files are read to produce the document; generated output is stored under your control, not the source tree.
- AI providers — generation and on-demand translation send content to the configured AI provider (OpenAI, Anthropic, or Google) to produce the result. Choose your provider; translations are cached so a document is processed once per language.
- Public-company materials — filing-derived drafts are AI-generated and intended for human review before distribution; they are not a substitute for counsel or official filings.
🛡️Transport & hardening
- TLS in production via a reverse proxy; HSTS enabled.
- Content Security Policy, CORS allowlist, input validation, and path-traversal protection.
- Shared documents are served with a tightened CSP and a no-store cache policy.
◷On the roadmap
- SOC 2 — not yet certified; controls are being aligned toward it.
- Enterprise SSO (SAML/SCIM) beyond the current Firebase social sign-in.
- Published data-retention & subprocessor policy with formal DPA.
- Viewer-facing tracking disclosure for GDPR/CCPA contexts.
Honest status. PitchStation is an early-stage platform. The controls above are live today; the roadmap items are not. If you have a specific security or compliance requirement, ask us directly rather than assuming — we'd rather tell you "not yet" than imply otherwise.
Platform administrators cannot open your documents by role alone. Content access requires a grant that you approve: an operator files a request with a written reason, you approve (24-hour expiry) or decline on your profile page, and every open under a grant is logged and emailed to you in real time. You can revoke an active grant at any moment, and your profile shows the complete access log — if it's empty, no operator has ever looked. Deploy credentials (your VPS keys) have no operator path at all. For your most sensitive documents, sealed shares encrypt in your browser before upload — the decryption key travels only in the link fragment, which never reaches our servers: we store ciphertext we mathematically cannot read.