How does Revenue Growth Agent authenticate users to the web app?

Web app login is handled by Clerk and issues a short-lived JWT. Every RGA API route is authenticated against that token, and every data endpoint is scoped to the caller's organization before it returns or modifies data. There are no unauthenticated data endpoints.

How are different customers' data and credentials kept separate?

Multi-tenant isolation is enforced on every data endpoint by a verified organization identifier carried in the authenticated session. Cached access tokens and encrypted CRM credentials are keyed per-organization with a short expiry. No customer's data or credentials are reachable by another customer's traffic.

How is customer data encrypted?

Everything is encrypted in transit over HTTPS/TLS, with credentials submitted over TLS 1.3. Stored CRM credentials (the Salesforce integration private key and HubSpot OAuth tokens) are additionally encrypted at rest with application-layer AES-256-GCM, and the master encryption key is held in a separate platform environment from the database that stores the ciphertext, so an attacker would need to compromise both systems to recover a plaintext credential. Other customer data is protected by the managed platforms' standard at-rest encryption plus authentication and multi-tenant isolation.

How are sales-call transcripts handled?

Discovery customers upload sales-call transcripts which are stored in Vercel Blob and analyzed for MEDDIC scores and themes by a Railway-hosted analysis service using Anthropic Claude; structured results are stored in Airtable. Transcripts are never used to train AI models, and follow the same uniform 90-day retention policy as all customer data.

Is customer data used to train AI models?

No. The AI providers that process customer data (Anthropic for generation, OpenAI for embeddings) are used via API under terms that prohibit training on submitted data. Configuration evidence is available on request.

How long is customer data retained?

All customer data including account information, CRM data, transcripts, and uploaded content is retained for 90 days after cancellation, then permanently deleted. Earlier deletion is available on request.

Where is customer data processed?

Customer data is stored and processed primarily in the United States, on infrastructure operated by US-based providers (Vercel, Airtable, Pinecone, Upstash, Railway, Clerk, Sentry, and the AI providers). If you are located outside the United States, your data is transferred to and processed in the United States under appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.

Is Revenue Growth Agent SOC 2 certified?

RGA runs the controls and processes a SOC 2 audit examines and operates against that program today while working toward formal attestation. Under GDPR, the customer is the Data Controller and RGA is the Data Processor; a DPA is available on request, and data subject requests are honored within 30 days.

Has the platform been independently security tested?

The platform undergoes automated OWASP ZAP scanning with zero high- or medium-severity findings. Standing controls include authenticated APIs with no unauthenticated data endpoints, input sanitization to prevent injection, rate limiting, security headers, and error sanitization that never exposes stack traces, file paths, or personal data.

Trust & Security Center

Security your team can verify, not just trust

Revenue Growth Agent processes your sales data, your sales-call transcripts, the content your team uploads, and (for customers who connect one) your CRM. Here are the answers your security, IT, and compliance teams ask during a review — how we authenticate, isolate, encrypt, and handle that data.

Request the Security Package View Sub-Processor List

At a glance

✓Authenticated end-to-end. Every API route requires a valid token; there are no unauthenticated data endpoints.

✓Multi-tenant isolation on every data endpoint, gated by a verified organization identifier.

✓AES-256-GCM at rest for stored CRM credentials, with the master key separated from the ciphertext across two systems.

✓Your data never trains AI models. Providers used via API under no-training terms.

✓OWASP ZAP scanned with zero high- or medium-severity findings.

✓90-day retention, US-based processing (with SCCs for non-US users), GDPR processor with a DPA available on request.

1. The web app: how RGA secures your users and data

RGA is primarily a web application. Your team logs in, prepares for meetings, runs discovery sessions, and generates proposals there. Here's how that surface is secured.

User authentication

Web app login is handled by Clerk, which issues a short-lived JWT. The browser sends that token on every API request via an Authorization: Bearer header, and an authentication middleware verifies it on the server before any handler runs. There is no session-replay path that bypasses the token check.

Multi-tenant isolation

RGA serves many organizations from one platform, and isolation is enforced at the data-endpoint level — not at the application boundary alone.

✓Every authenticated request carries a verified organization identifier from Clerk.
✓Every data endpoint resolves that identifier to the caller's client record, then re-checks that any resource being accessed belongs to that organization before returning or modifying it. We call this pattern resource access verification, and it is wrapped around every read and write.
✓Cached data (CRM access tokens, prospect enrichment) is keyed per organization with a short expiry, so a cache hit can never serve another tenant's data by accident.

What data the web app processes, by feature

Feature	What it processes	Where it's stored
Meeting Prepper	Prospect business-contact fields (name, email, phone, company, title, website, industry, company size, optional LinkedIn) plus publicly sourced research	Structured prep record in Airtable; generated `.docx` and `.html` briefing artifacts in Vercel Blob; auto-expiring enrichment cache in Vercel KV
Discovery (transcripts)	Sales-call transcript files customers upload, plus the MEDDIC scoring and theme analysis derived from them	Transcript files in Vercel Blob; structured analysis in Airtable
Proposals — knowledge base	Customer-uploaded content (collateral, case studies, methodology docs) used as retrieval context	Source files in Vercel Blob; vector embeddings in Pinecone
Proposals — generated output	The proposal generated for the customer to send	Returned to the user as a downloadable document; the structured proposal record is stored in Airtable
Account & users	Login identity, organization, role, billing contact	Clerk (identity); Airtable (organization + user records); Stripe (billing)

How transcripts and uploaded content are handled

✓File type and size validated server-side, with limits sized to each upload surface:

Upload surface	Accepted types	Max size
Knowledge-base content (Proposals)	PDF, DOCX, PPTX	50 MB
Discovery transcripts	PDF / DOCX / plain text	Up to 25 MB (PDF); 15 MB (DOCX); 10 MB (text)
Organization logos	PNG / JPG / SVG	2 MB

✓Stored in Vercel Blob under per-tenant paths, with each file's URL bound to the owning organization. Cross-tenant URL guessing fails the access check.
✓Analyzed by Anthropic Claude via a Railway-hosted analysis service. Transcripts are sent in prompts; structured results (MEDDIC scores, themes) are written back to Airtable. Submitted content is not used to train AI models.
✓90-day retention. Transcripts and uploaded knowledge-base content follow the same uniform retention as everything else: 90 days after subscription cancellation, then permanently deleted. Earlier deletion on request.

Standing platform controls

✓Independent security testing. Automated OWASP ZAP scanning with zero high- or medium-severity findings.

✓Injection prevention. All database query inputs are sanitized.

✓Rate limiting on authentication, API, and upload paths.

✓Security headers: Content-Security-Policy, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.

✓Error sanitization. Client-facing errors carry no stack traces, file paths, or personal data.

✓Webhook security. All third-party webhooks are proxied through authenticated backend routes.

2. Encryption: how sensitive data stays protected

In transit and at rest, with the most important control — key separation — called out explicitly.

In transit

HTTPS/TLS everywhere. Credential submissions (CRM private keys, third-party API tokens) use TLS 1.3.

At rest: AES-256-GCM with key separation, for stored CRM credentials

RGA holds two categories of long-lived credentials on a customer's behalf: the Salesforce integration private key (when a customer connects Salesforce) and the HubSpot OAuth access and refresh tokens (when a customer connects HubSpot). Both are encrypted with application-layer AES-256-GCM on top of the platform providers' own at-rest encryption. Other customer data — CRM records, transcripts, uploaded content, account information — is protected by the managed platforms' standard at-rest encryption (Airtable, Vercel Blob, Upstash) plus the authentication and multi-tenant isolation described in section 1.

The application-layer encryption matters because the control underneath it — key separation — is what protects you in a worst-case partial breach: the ciphertext and the master key live in different systems, on purpose.

Property	Value	Why it matters
Algorithm	AES-256-GCM (NIST SP 800-38D)	Confidentiality and integrity
Key length	256 bits	Brute force is infeasible
Initialization vector	96 bits, random per encryption	Same plaintext never yields the same ciphertext
Authentication tag	128 bits, verified on decrypt	Any tampering fails decryption
Format	Versioned (`v1:<iv>:<ct>:<tag>`)	Future algorithm migration without breakage

Component	Where it lives	What you'd get by compromising it alone
Encrypted CRM credentials (ciphertext)	RGA's database (Airtable)	Opaque ciphertext. Useless.
Master encryption key	RGA's serverless platform environment (separate system)	A key with no data to decrypt

An attacker would have to compromise both systems to recover a single plaintext CRM credential.

Key management and rotation

✓Secrets are stored in the platform environment, never in source code, scoped to least privilege.
✓Rotated promptly in response to any suspected exposure.
✓The master encryption key can be rotated without service disruption — the versioned ciphertext format supports rotation.

3. AI providers: what they see, and what they don't

RGA uses third-party AI providers via API to do the work the product promises. The full sub-processor list is published at /sub-processors; here are the points that matter for a security review.

Anthropic (Claude)

Generates meeting prep, discovery analysis, and proposals. Used via API under terms that prohibit training on submitted data.

OpenAI

Generates vector embeddings of uploaded knowledge-base content. Used via API under terms that prohibit training on submitted data.

Pinecone

Stores the embeddings (not the source text) used for retrieval in the Proposals knowledge base.

Configuration evidence for the no-training terms is available on request. Embeddings are derived numerical representations, not the original content; the source files remain in Vercel Blob under RGA's encryption boundary.

4. CRM integrations: optional, customer-owned, revocable

Customers can connect RGA to their CRM — Salesforce or HubSpot — to read records and write back prep, discovery, and proposal results. The connection is always customer-created, customer-owned, and revocable in one click from the customer's side. RGA never stores a credential that the customer can't kill.

For Salesforce

✓OAuth 2.0 JWT-Bearer against an External Client App you create in your own org. Certificate-signed, no shared client secret and no long-lived refresh token.
✓The private key is encrypted with AES-256-GCM under the same key-separation model described above; no API path returns it in plaintext to anyone, including the admin who entered it.
✓Org-ownership is proven before credentials are stored: RGA exchanges the submitted key for an access token against Salesforce and verifies the returned org ID matches the connecting admin's claim. Mismatched or invalid keys are rejected on the spot.
✓The Lightning Web Component is an iframe served from RGA's domain, isolated from the Salesforce page by the browser's Same-Origin Policy. XSS on the Lightning page cannot reach the credential form, and vice versa.
✓Only a Salesforce administrator can connect or change the connection; admin status is computed inside your org and re-enforced server-side by RGA.

Read the full Salesforce security architecture → Or see the long-form CISO's technical guide.

For HubSpot

✓Standard HubSpot OAuth. The customer authorizes RGA against the HubSpot account, and HubSpot manages token issuance and revocation.
✓No private key to encrypt — HubSpot OAuth doesn't use one. Access tokens are scoped to the connection the customer authorized and can be revoked from HubSpot's Connected Apps screen at any time. Tokens at rest are protected by the same standing platform controls (authenticated APIs, multi-tenant isolation, per-org caching with short expiry).
✓RGA writes back to the HubSpot record for prep and proposal results; reads are scoped to the standard business-contact fields needed for the feature.

5. Data handling, retention, and privacy

Data retention: All customer data — account information, CRM data, transcripts, and uploaded content — is retained for 90 days after cancellation, then permanently deleted from production systems. Earlier deletion is available on written request.
Data residency: Customer data is stored and processed primarily in the United States, on infrastructure operated by US-based providers. If you are located outside the United States, your data is transferred to and processed in the United States under appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.
Controller / processor model: Under GDPR, the customer is the Data Controller; Revenue Growth Agent is the Data Processor. A Data Processing Agreement (DPA) is available on request.
Data subject requests: Access, export, correction, deletion, and the right to be forgotten are honored within 30 days.
Sub-processors: The current list is published at /sub-processors. Continued use of the platform after an update constitutes acceptance of the revised list.
AI training opt-out: Customer data processed by RGA is not used to train AI models. Configuration evidence is available on request.

6. Operational & organizational

MFA on internal access: Yes, on every system holding customer data or tokens — Vercel, Airtable, Pinecone, Railway, and Upstash — via an authenticator app or single sign-on through Google or GitHub with 2FA enforced.
SOC 2 status: The controls and processes a SOC 2 audit examines are implemented and operated today; formal attestation is on the near-term roadmap. Rather than wave a badge, this page describes precisely what runs today so your team can evaluate the engineering directly.
Incident response plan: A documented plan exists: detect, contain, assess, notify affected customers, remediate, and conduct a post-incident review. The incident owner is the RGA founder/CEO; the intake channel is support@revenuegrowthagent.com. The full plan is available on request.
Breach notification: Affected customers are notified without undue delay and within 72 hours of confirming a breach.
Access reviews and off-boarding: Access to systems holding customer data is reviewed periodically and revoked on off-boarding. Personnel with production data access is intentionally small.
Backups: Customer data resides in managed platforms (Airtable, Vercel Blob, Upstash) that provide their own redundancy and backups; Airtable backups inherit RGA's application-layer encryption, so backed-up credentials remain encrypted. Restore-from-backup is verified annually.
Recovery (RTO / RPO): Uptime and recovery currently inherit from the underlying platform providers' redundancy and service levels. Formal recovery-time and recovery-point targets are in development.

7. Compliance frameworks

Framework	Status
GDPR	Controller/processor model, data-subject-request handling, and a DPA available on request.
SOC 2	In progress. Controls operated today; formal attestation on the near-term roadmap.
PCI DSS	Payment card handling is fully delegated to Stripe; RGA stores no card data.
HIPAA	Not applicable. RGA processes sales and CRM business-contact data, not protected health information.
FedRAMP	Not applicable. RGA does not sell to US federal government agencies.
ISO 27001	Not currently pursued.

Request the full security package

Serious evaluators can request the detailed documents we share during diligence rather than publish for casual browsing:

•Data flow diagram — the full path of data through the platform and CRM integrations.
•Incident Response Plan — detection, containment, notification, and post-incident review.
•Data Processing Agreement (DPA) — for contractual data-protection commitments.
•Completed security questionnaire — we'll fill out yours, or share ours.

Request the Security Package Walk My Security Team Through It

Or email support@revenuegrowthagent.com directly. We respond to security and compliance requests promptly.