Security Practices
Last updated: April 9, 2026
Sales Blitz is built for enterprise sales teams who work with sensitive deal data every day. We treat your research, prospect intelligence, and meeting recordings with the same care you would.
Compliance Status
| Standard | Status |
|---|---|
| SOC 2 Type II | In Progress |
| GDPR | Compliant |
| CCPA / CPRA | Compliant |
| Penetration Testing | Scheduled |
For security questionnaires, DPA requests, or our SOC 2 readiness letter, contact security@salesblitz.ai.
1. Data Encryption
In Transit
All data transmitted between your browser and Sales Blitz is encrypted using TLS 1.2 or higher. This includes API calls, file uploads, WebSocket connections for Practice Blitz, and webhook payloads. We enforce HTTPS across all endpoints with HSTS headers.
At Rest
All data stored in our database (Supabase, powered by AWS) is encrypted at rest using AES-256. This covers user profiles, research data, generated assets, meeting transcripts, and vector embeddings. Backup volumes are encrypted with the same standard.
2. Authentication & Access Control
User authentication is handled by Clerk, an enterprise identity provider. Clerk supports multi-factor authentication (MFA), which we encourage all users to enable. Session tokens are short-lived and rotated automatically.
On the infrastructure side, access to production systems is restricted to the founding team. All API endpoints require authentication. Internal service-to-service communication uses signed API keys with rate limiting and spend controls.
3. Infrastructure
| Component | Provider | Region |
|---|---|---|
| Web Application | Vercel | US (Edge, multi-region) |
| Worker Service | Railway | US-West |
| Database & Storage | Supabase (AWS) | US-East-1 |
| Authentication | Clerk | US |
| Payments | Stripe | US (PCI DSS Level 1) |
All infrastructure providers maintain their own SOC 2 Type II certifications. Supabase is SOC 2 Type II and HIPAA compliant. Vercel is SOC 2 Type II certified. Clerk is SOC 2 Type II certified. Stripe is PCI DSS Level 1 certified.
4. Application Security
- Content Security Policy (CSP): Enforced across all pages with strict source allowlists. Prevents XSS and code injection.
- Security Headers: HSTS, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin).
- Rate Limiting: All API endpoints are rate-limited. Webhook endpoints have additional per-key rate limits and spend controls.
- Input Validation: All user inputs are validated and sanitized server-side before processing.
- Dependency Management: Dependencies are monitored for known vulnerabilities. Security patches are applied promptly.
5. AI Data Handling
Sales Blitz uses AI models from Anthropic (Claude), OpenAI (Whisper, TTS), Google (Gemini embeddings & Flash Live), and HeyGen (LiveAvatar) to power research, transcription, asset generation, practice simulations, discovery calls, and post-call intelligence. All AI API calls are made server-side, never from the client browser.
None of your data is used to train AI models. All AI providers are accessed via their commercial APIs, which contractually prohibit using customer data for model training.
- Anthropic (Claude): Generates research, playbooks, coaching analysis, and meeting intelligence. Zero-retention API; inputs are not logged or stored by Anthropic.
- OpenAI (Whisper & TTS): Transcribes meeting audio & synthesizes voice for Sage. Zero-retention API; audio data is not stored after processing.
- Google (Gemini): Generates text embeddings for semantic search & live voice processing for Practice Blitz. Data processed per Google Cloud's enterprise terms.
- HeyGen (LiveAvatar): Renders AI avatar video for Practice Blitz, Sage Discovery, & AI assist mode voice responses. All API calls route through our server-side proxy to protect credentials.
Meeting Bot Security
Sales Blitz offers an AI meeting bot (powered by Recall.ai) that joins Zoom, Google Meet, and Microsoft Teams meetings as a visible participant to record and transcribe. Key security properties:
- No raw audio storage: Recall.ai processes meeting audio server-side. Sales Blitz receives only the structured transcript, never raw audio files.
- Server-side API calls: All Recall.ai API communication uses Token-based authentication from server-side routes. The API key is never exposed to the client browser.
- Webhook validation: Recall.ai lifecycle events are validated against existing meeting records in our database. Unknown bot IDs are rejected.
- Visible participant: The bot name varies by mode: "Sales Blitz Notetaker" for record-only, "Sage — Sales Blitz" for AI assist and Sage-led modes. In all modes, the bot is a visible participant. Sales Blitz does not support undisclosed AI participation in meetings.
- Post-call intelligence: After transcription, a second AI analysis pass generates follow-up email drafts, deal qualification insights, and conversation pattern analysis. All processing is server-side via Anthropic Claude.
- Audio intelligence: After post-call analysis, meeting audio is processed by AssemblyAI for speaker identification, entity detection, and text-based sentiment analysis. Audio is processed server-side by AssemblyAI per their data retention policies. Results are stored as structured data (not raw audio) in your account.
Sage Discovery Calls
Sage can join meetings as an AI participant that conducts discovery, follow-up, demo, or closing conversations. Security properties specific to Sage Discovery:
- Per-meeting mode selection: Each Sage call supports three modes: sage_led (Sage runs the entire call), assisted (human rep leads, Sage provides real-time coaching & optional voice responses), and record_only (recording & transcription without live AI participation). Users select the mode before each call.
- Voice trigger capability: In assisted mode, Sage responds to real-time voice triggers from the rep without interrupting the conversation flow. Voice synthesis uses OpenAI TTS & HeyGen LiveAvatar for avatar lip-sync.
- Real-time processing: Conversation audio is streamed via Recall.ai to our servers for speech-to-text (via Gemini Flash Live or OpenAI Whisper), then processed by Anthropic Claude for response generation. No raw audio is stored on Sales Blitz servers.
- Session-based auth: The Sage render page (which runs in Recall.ai's headless browser) authenticates via session ID, not user credentials. Session IDs are single-use and expire after the call ends.
- Server-side proxy: All LiveAvatar API calls route through our server-side proxy to prevent API key exposure. The LiveAvatar API key is never sent to the client.
- Post-call intelligence: After each call, Sage generates scores, follow-up drafts, and deal intelligence via LangGraph state graphs. All processing is server-side. Results are stored in your account and accumulated into prospect intelligence for future calls.
Proposal & IO Pipeline
Sales Blitz generates proposals and insertion orders after qualifying Sage calls. Security measures for this pipeline:
- Consent-gated: Proposals are never generated without explicit consent via a three-checkbox gate in Company Settings. Consent is timestamped and auditable.
- Approval-before-send: All generated documents require explicit user approval before delivery. Users can review, edit, and reject any generated document.
- OAuth token isolation: DocuSign and PandaDoc OAuth tokens are encrypted at rest (AES-256), stored per-user in isolated database rows with row-level security, and refreshed automatically. Revoked tokens are deleted immediately.
- Built-in signing pages: When using the built-in delivery path, signing pages are accessed via single-use, cryptographically random tokens. Signing captures IP address, timestamp, and user agent for audit purposes.
- Cover email security: Proposal cover emails are sent via the user's own Gmail OAuth connection, not from Sales Blitz infrastructure. Email content is stored in the user's account for audit.
6. Data Retention & Deletion
| Data Type | Retention | Deletion |
|---|---|---|
| Account & profile data | While account is active | 30 days after account deletion |
| Research & generated assets | Until user deletes | On-demand via app |
| Raw meeting audio (meeting bot) | Never stored on our servers | Processed by Recall.ai & AssemblyAI; transcript returned |
| Meeting transcripts | Configurable (default 90 days) | Automatic via scheduled job (daily 3am UTC) |
| Post-call intelligence | Until user deletes recording | On-demand via app |
| Coaching scores & analysis | Until user deletes | On-demand via app |
| Usage & application logs | 90 days | Automatic rotation |
| Proposals & insertion orders | Until user deletes | On-demand via app |
| Signing page records | Until associated IO is deleted | Deleted with parent IO |
| DocuSign/PandaDoc OAuth tokens | While integration is connected | Deleted on disconnect or account deletion |
| Sage discovery transcripts | Until user deletes session | On-demand via app |
Users can request a full data export or account deletion at any time by contacting security@salesblitz.ai. Deletion requests are processed within 30 days.
7. Incident Response
We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting customer data, we will notify affected users within 72 hours per GDPR requirements and applicable state breach notification laws.
To report a security vulnerability, contact security@salesblitz.ai. We take all reports seriously and will acknowledge receipt within 24 hours.
8. Sub-Processors
The following third-party services process data on behalf of Sales Blitz. Each maintains security certifications appropriate to their role. A complete sub-processor list with data categories and geographic locations is available in our Data Processing Agreement.
| Sub-Processor | Purpose | Data Processed |
|---|---|---|
| Supabase (AWS) | Database & storage | All application data |
| Anthropic | AI research & generation | Company/contact info, user prompts |
| OpenAI | Audio transcription, TTS | Meeting audio, text for speech |
| Google (Gemini) | Text embeddings | Research text for vector search |
| Clerk | Authentication | Email, name, auth credentials |
| Stripe | Payment processing | Payment method, billing info |
| Vercel | Application hosting | HTTP requests, session data |
| Railway | Worker service hosting | Processing queues, API calls |
| Resend | Transactional email | Email addresses, notification content |
| HeyGen (LiveAvatar) | Practice Blitz & Sage video avatar, voice responses | Text for lip-sync (no PII), voice synthesis input |
| Apollo.io | Contact data enrichment | Company/contact lookup queries |
| Brave Search | Web research | Search queries (company/industry terms) |
| Cloudflare | DNS & DDoS protection | Domain routing, traffic analytics |
| Langfuse | AI observability & tracing | LLM call metadata (tokens, latency, cost) |
| Recall.ai | Meeting bot infrastructure | Meeting URL, meeting audio (processed, not retained), transcript |
| AssemblyAI | Audio transcription & intelligence | Meeting audio (processed server-side), transcript, speaker labels, entities |
| DocuSign | E-signature | Document content, signer names and emails |
| PandaDoc | Document creation & e-signature | Document content, signer details, company info |
| Instantly.ai | Email sending and warm-up (Sage campaigns) | Prospect emails, campaign metadata |
| Cal.com | Meeting booking (Sage campaigns) | Prospect email, booking confirmation |
9. Business Continuity
Database backups run automatically via Supabase's managed backup infrastructure (daily point-in-time recovery, 7-day retention). Application code is version-controlled in GitHub with branch protection. Deployments are automated via CI/CD with rollback capability.
10. Employee Security
Sales Blitz is currently a founder-led company. Access to production systems, databases, and third-party service consoles is limited to the founder. As the team grows, we will implement role-based access controls, background checks for all employees with production access, and mandatory security awareness training.
Questions?
For security inquiries, DPA requests, or to submit a completed security questionnaire, contact security@salesblitz.ai.