At SalesSheet.ai, security is foundational to everything we build. Your CRM contains your most valuable business relationships, deals, and communications. We treat the protection of that data as our highest priority. This page provides an overview of the security practices, infrastructure, and controls we have in place to safeguard your information.
Our Commitment to Security
Security is not an afterthought at SalesSheet -- it is embedded into our engineering culture, development processes, and operational practices. Our security program is designed around the following principles:
- Defense in Depth: Multiple layers of security controls protect your data at every level of our stack, from the network edge to the application layer to the database.
- Least Privilege: Access to systems and data is restricted to the minimum necessary for each role, and elevated permissions are time-limited and require explicit approval.
- Continuous Monitoring: We monitor our infrastructure and applications around the clock for threats, anomalies, and unauthorized access attempts.
- Transparency: We are open about our security practices and promptly communicate any incidents that may affect your data.
- Security by Design: Security considerations are integrated into every phase of our product development lifecycle, from design through deployment.
Infrastructure Security
Our platform is built on enterprise-grade cloud infrastructure designed for reliability, scalability, and security:
Cloud Hosting
- Hosted on industry-leading cloud providers with SOC 2 Type II, ISO 27001, and SOC 3 certifications
- Multi-region architecture with automatic failover for high availability
- Virtual private cloud (VPC) isolation with strict network segmentation between services
- DDoS protection and web application firewall (WAF) at the network edge
- Auto-scaling infrastructure to handle traffic spikes without service degradation
Network Security
- All external traffic is encrypted using TLS 1.2 or higher with strong cipher suites
- Internal service-to-service communication is encrypted and mutually authenticated
- Strict firewall rules limit network access to only necessary ports and services
- Network traffic is monitored and logged for anomaly detection
- Regular network penetration testing conducted by independent third-party security firms
Data Protection
Encryption at Rest
All customer data stored in our databases and file systems is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service (KMS) with automatic rotation and strict access controls. Database backups are also encrypted using separate keys and stored in geographically separate locations. Encryption key access is logged and audited.
Encryption in Transit
All data transmitted between your browser or mobile device and our servers is protected by TLS 1.2 or higher. We enforce HSTS (HTTP Strict Transport Security) headers and support only strong cipher suites. API communications are similarly encrypted end-to-end. We regularly review and update our TLS configuration to deprecate weak protocols and ciphers.
Data Isolation
Each customer's data is logically isolated within our infrastructure. Strict access controls ensure that one customer's data is never accessible to another. Our application layer enforces tenant isolation at every query and operation, verified by automated testing. Database queries are parameterized to prevent SQL injection and cross-tenant data leakage.
Data Backup and Recovery
We maintain a comprehensive backup strategy to protect against data loss:
- Automated continuous backups with point-in-time recovery capability
- Daily full backups retained for 30 days
- Backups are encrypted and stored in geographically separate regions
- Recovery procedures are tested quarterly to validate integrity and completeness
Access Controls
We implement rigorous access controls at both the application and infrastructure levels:
Application-Level Controls
- Role-based access control (RBAC) allows administrators to define granular permissions for team members
- Permissions can be configured for contacts, deals, pipelines, reports, and administrative settings
- Session management with configurable timeout and re-authentication requirements
- Comprehensive audit logs track all user actions within the platform, including data access, modifications, and exports
- OAuth 2.0-based authentication for third-party integrations with scoped permissions
Internal Access Controls
- Employee access to production systems requires multi-factor authentication (MFA) and VPN
- Access is granted on a need-to-know basis and reviewed quarterly by management
- All production access is logged, monitored, and subject to automated alerting
- Privileged access requires additional approval from security leadership and is time-limited
- Background checks are conducted for all employees with access to customer data
- Access is revoked immediately upon employee departure through automated deprovisioning
AI Security
Our AI features are designed with security and privacy as core requirements, ensuring your data is protected throughout the AI processing pipeline:
Data Processing
- AI processing occurs in isolated, secure environments with no persistent data storage beyond what is needed to deliver results
- Your CRM data is never used to train general-purpose AI models or shared across customer accounts
- AI inputs and outputs are subject to the same encryption and access controls as all other customer data
- Processing is performed in-region where possible to minimize data transfer across borders
- AI model responses are not cached or stored beyond the immediate request-response cycle
Bring Your Own Key (BYOK)
- Enterprise customers can use their own API keys for AI model providers, maintaining full control over their AI data processing
- BYOK connections are established directly between your account and your chosen provider
- Your API keys are encrypted at rest using AES-256 and never logged, displayed, or exposed in plaintext after initial entry
- You maintain full control over your AI provider relationship and associated data processing terms
- BYOK configuration can be changed or revoked at any time through account settings
Application Security
Our development and deployment practices are designed to minimize vulnerabilities and maintain a strong security posture:
- Secure Development Lifecycle: Security reviews and threat modeling are integrated into our development process from design through deployment.
- Code Review: All code changes require peer review before deployment, with mandatory security-focused review for changes to authentication, authorization, data access, and API endpoints.
- Dependency Management: Automated scanning of all third-party dependencies for known vulnerabilities, with alerts and remediation tracking.
- Static Analysis: Automated static application security testing (SAST) tools run on every code commit to detect potential vulnerabilities.
- Dynamic Testing: Regular dynamic application security testing (DAST) against our staging and production environments.
- Penetration Testing: At least annual third-party penetration testing of our applications and infrastructure, with remediation of all identified findings.
- Responsible Disclosure Program: We maintain an active program to encourage security researchers to report vulnerabilities.
Compliance
We align our security program with recognized standards and regulatory requirements to provide assurance to our customers:
- SOC 2 Type II: Our controls are independently audited against the AICPA Trust Services Criteria for security, availability, and confidentiality. Reports are available to customers under NDA.
- GDPR: We comply with the General Data Protection Regulation for customers in the European Economic Area, including data processing agreements, data subject rights, lawful processing bases, and data protection impact assessments.
- CCPA: We comply with the California Consumer Privacy Act, including rights to know, delete, correct, and opt out.
- Data Processing Agreements: We offer a standard Data Processing Agreement for customers who require one for GDPR compliance or internal procurement processes.
Business Continuity and Disaster Recovery
We maintain comprehensive business continuity and disaster recovery plans to ensure service resilience:
- Automated continuous backups with point-in-time recovery capability
- Backups are encrypted and stored in geographically separate regions
- Recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 1 hour
- Disaster recovery plans are tested at least annually with documented results
- Real-time monitoring with automated alerting for infrastructure health and performance
- Redundant systems across multiple availability zones for high availability
- Documented runbooks for common failure scenarios with assigned response teams
Incident Response
We have a documented incident response plan that outlines procedures for detecting, containing, investigating, and remediating security incidents:
- Detection: Automated monitoring and alerting systems detect anomalies and potential security events in real time across all layers of our infrastructure.
- Triage: Incidents are classified by severity level, with defined escalation paths for each level.
- Response: Our on-call security team investigates and responds to alerts within defined SLAs based on severity.
- Containment: Immediate steps are taken to contain any confirmed incident and prevent further impact to customer data.
- Notification: Affected customers are notified within 72 hours of confirming a data breach, in accordance with GDPR and other applicable regulations.
- Remediation: Root cause analysis is performed and corrective measures are implemented to prevent recurrence.
- Post-Incident Review: Thorough reviews are conducted after every incident to improve our security posture, update runbooks, and share learnings across the team.
Responsible Disclosure
We value the work of security researchers and welcome reports of potential vulnerabilities. If you believe you have discovered a security issue in our platform, please report it responsibly:
- Email your findings to andres@salessheets.ai with the subject line "Security Vulnerability Report"
- Include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence
- Allow us reasonable time (at least 90 days) to investigate and address the issue before disclosing it publicly
- Do not access, modify, or delete other users' data during your research
- Do not perform testing that could degrade or disrupt the Service for other users
We are committed to working with researchers in good faith and will not pursue legal action against individuals who report vulnerabilities responsibly and in accordance with these guidelines.
Employee Security
Our team members are trained and held to high security standards:
- All employees complete comprehensive security awareness training during onboarding and annually thereafter
- Employees with access to customer data undergo background checks before being granted access
- Endpoint security controls are enforced on all company devices, including full-disk encryption, endpoint detection and response (EDR), and remote wipe capability
- Strict policies govern the handling of customer data, with clear guidelines and consequences for violations
- Regular phishing simulations are conducted to test and reinforce security awareness
- All employees sign confidentiality and acceptable use agreements as part of their employment terms
Contact Us
If you have questions about our security practices or would like to request additional information for your security review, please contact us:
- Email: andres@salessheets.ai
- Company: SalesSheet Inc.
We are happy to provide additional documentation, share our SOC 2 Type II report under NDA, complete security questionnaires, or schedule a call to discuss your specific security requirements.