Trust & security
How we protect your data.
Plain English, no hype. Last updated .
Security at a glance
The one-pager for a security review — every claim below is expanded in this page and true today, not aspirational.
Server-side, opaque random id in an HttpOnly, SameSite=Lax, Secure cookie. Revoke = one row deleted; no token in the browser.
HTTPS everywhere. OAuth tokens encrypted at rest with AES-256-GCM. Database encrypted at rest by the provider.
Every row is keyed to your account or team and every query is scoped to the authenticated session — one tenant can't read another's runs, keys, or brain.
Metadata-only by default — run counts, outcomes, and brain state, not your raw lead lists or message bodies.
Stored only as a SHA-256 hash, scoped, rate-limited per key; every control-plane call is logged.
SOC 2 is on the roadmap, not yet certified. We'll tell you honestly what we can provide today.
The short version
Sales as Code is two planes: the work runs in Claude Cowork, and salesascode.com is a thin control plane that licenses your plugins and shows a rollup of what they did. The control plane is metadata-first by design — it stores run counts, outcomes, and brain state, not your raw lead lists or email bodies. Below is exactly how we secure it, who we share data with, and the controls you have.
Metadata only — no raw PII by default
This is the core of how the two-plane design protects you. Your leads, message bodies, and contact records live where the work happens — in Claude Cowork, on your own connected tools. The control plane at salesascode.com is deliberately built to see as little as possible.
- What the control plane stores: run counts, skill names, outcomes and outcome keys, timing, error categories, and brain state (key sets and value hashes used to summarize what changed).
- What it does not store by default: your raw lead lists, prospect names, email or message bodies, or third-party contact data. The rollup on /rollup shows metadata and outcomes — never the underlying PII.
- Opt-in only: we don't pull raw third-party contact data into the control plane unless you explicitly turn that on for a specific flow.
The practical upshot: a compromise of the control plane exposes metadata about what ran, not the contents of your pipeline.
Security practices
- Encryption in transit and at rest. All traffic is HTTPS. OAuth tokens are encrypted at rest with AES-256-GCM. The database is encrypted at rest by our provider.
- Sessions. Server-side sessions with an opaque, random id in an HttpOnly, SameSite=Lax, Secure cookie. Revoking a session deletes one row — no token lives in the browser.
- API keys. The Sales as Code keys your plugins authenticate with are stored only as a SHA-256 hash, are scoped, and are rate-limited per key. Every control-plane call is logged.
- Tenant isolation. Every record — runs, entitlements, keys, brain state — is keyed to your account or team, and every control-plane query is scoped to the authenticated session before it reads. One tenant cannot see another tenant's data; team-scoped views are additionally limited to the members of that team.
- Single sign-on (SAML). Teams can route sign-in through their own identity provider with just-in-time provisioning and group-to-role mapping. See /login/sso.
- Audit log. Every admin-relevant action is written to an immutable audit log that admins can review and export to CSV.
- You control publishing. Plugins are tool-agnostic and draft-first: by default they draft and stage for your review. They publish automatically only on channels you connect and explicitly enable for automation, and only after a brand-safety check; anything that reaches a person, or any channel where automation is disallowed, is always held for your approval. You set the mode per channel and can revert to draft-only at any time.
- Least data. Plugins default to sending metadata only. We don't pull raw third-party contact data into the control plane unless you explicitly opt in.
Compliance posture & SOC 2 roadmap
We want to be straight with you about where we are. Sales as Code is an actively developed product. We follow the security practices above as a matter of course, but we do not yet hold a SOC 2 or ISO 27001 certification — treat SOC 2 as on the roadmap, not as something we've achieved. We won't imply a certification we don't have. If your procurement process requires a specific certification, a data processing agreement (DPA), a security questionnaire, or a penetration-test summary, contact us and we'll tell you honestly what we can provide today and what's planned.
Subprocessors
We use a small set of vendors to run the service. We don't sell your data or share it with advertisers.
| Subprocessor | What they process | Region |
|---|---|---|
| Anthropic | AI inference (Claude). Plugins run in Claude Cowork; the control plane calls the Claude API for any server-side AI. | United States |
| Neon | Primary Postgres database — accounts, entitlements, telemetry, brain sync. | United States |
| Vercel | Application hosting and edge delivery. | Global edge, U.S. compute |
| Stripe | Payments, subscriptions, invoices. We never see full card numbers. | United States |
| Resend | Transactional and digest email delivery. | United States |
| Google sign-in (OpenID) when you choose it. | United States |
Where your data lives
Primary database: Neon (Postgres), U.S. region. Application servers: Vercel, distributed globally with U.S. compute. AI inference: Anthropic, U.S. region. If you're outside the U.S., your data is processed in the U.S.
Your data and retention
- Access. Everything the control plane holds about you is visible in the product.
- Export. Download all of your data as JSON at any time from Settings → Data, or export your synced brain from /brain/export.
- Delete. Request account deletion from Settings → Data. We hard-delete within 7 days. Stripe retains billing records per its own policy for tax and accounting.
- Disconnect. Revoke any Sales as Code API key from Settings → API keys; the plugins lose control-plane access immediately.
Reporting a vulnerability
If you find a security issue, email admin@salesascode.com with the details and steps to reproduce. We'll acknowledge and work the fix. Please don't publicly disclose until we've had a chance to remediate. (Our contact page also lists security@salesascode.com for responsible-disclosure reports — both addresses route to the same inbox, so use whichever you find first.)
Questions
For DPAs, security questionnaires, or anything not covered here, reach us at our contact page or admin@salesascode.com. See also our Privacy Policy and Terms.