Security at a glance

The one-pager for a security review — every claim below is expanded in this page and true today, not aspirational.

Sessions

Server-side, opaque random id in an HttpOnly, SameSite=Lax, Secure cookie. Revoke = one row deleted; no token in the browser.

Encryption

HTTPS everywhere. OAuth tokens encrypted at rest with AES-256-GCM. Database encrypted at rest by the provider.

Tenant isolation

Every row is keyed to your account or team and every query is scoped to the authenticated session — one tenant can't read another's runs, keys, or brain.

Least data

Metadata-only by default — run counts, outcomes, and brain state, not your raw lead lists or message bodies.

API keys

Stored only as a SHA-256 hash, scoped, rate-limited per key; every control-plane call is logged.

Compliance

SOC 2 is on the roadmap, not yet certified. We'll tell you honestly what we can provide today.

The short version

Sales as Code is two planes: the work runs in Claude Cowork, and salesascode.com is a thin control plane that licenses your plugins and shows a rollup of what they did. The control plane is metadata-first by design — it stores run counts, outcomes, and brain state, not your raw lead lists or email bodies. Below is exactly how we secure it, who we share data with, and the controls you have.

Metadata only — no raw PII by default

This is the core of how the two-plane design protects you. Your leads, message bodies, and contact records live where the work happens — in Claude Cowork, on your own connected tools. The control plane at salesascode.com is deliberately built to see as little as possible.

The practical upshot: a compromise of the control plane exposes metadata about what ran, not the contents of your pipeline.

Security practices

Compliance posture & SOC 2 roadmap

We want to be straight with you about where we are. Sales as Code is an actively developed product. We follow the security practices above as a matter of course, but we do not yet hold a SOC 2 or ISO 27001 certification — treat SOC 2 as on the roadmap, not as something we've achieved. We won't imply a certification we don't have. If your procurement process requires a specific certification, a data processing agreement (DPA), a security questionnaire, or a penetration-test summary, contact us and we'll tell you honestly what we can provide today and what's planned.

Subprocessors

We use a small set of vendors to run the service. We don't sell your data or share it with advertisers.

SubprocessorWhat they processRegion
AnthropicAI inference (Claude). Plugins run in Claude Cowork; the control plane calls the Claude API for any server-side AI.United States
NeonPrimary Postgres database — accounts, entitlements, telemetry, brain sync.United States
VercelApplication hosting and edge delivery.Global edge, U.S. compute
StripePayments, subscriptions, invoices. We never see full card numbers.United States
ResendTransactional and digest email delivery.United States
GoogleGoogle sign-in (OpenID) when you choose it.United States

Where your data lives

Primary database: Neon (Postgres), U.S. region. Application servers: Vercel, distributed globally with U.S. compute. AI inference: Anthropic, U.S. region. If you're outside the U.S., your data is processed in the U.S.

Your data and retention

Reporting a vulnerability

If you find a security issue, email admin@salesascode.com with the details and steps to reproduce. We'll acknowledge and work the fix. Please don't publicly disclose until we've had a chance to remediate. (Our contact page also lists security@salesascode.com for responsible-disclosure reports — both addresses route to the same inbox, so use whichever you find first.)

Questions

For DPAs, security questionnaires, or anything not covered here, reach us at our contact page or admin@salesascode.com. See also our Privacy Policy and Terms.