Trust

Your data.
Your domains. Your keys.

Paitho is built on a simple posture: we touch nothing you don't own. This page lists exactly what we store, where, and for how long.

BYOK by default Per-tenant isolation Data export anytime No third-party ad/analytics trackers

What we store

Every byte, accounted for.

No hand-waving. Six categories, four columns. If it isn't on this list, we don't store it.

Data type

Where

Encryption

Retention

Lead records

Postgres · your tenant schema

AES-256 at rest · TLS in transit

indefinite (you delete)

LLM provider keys (BYOK)

Encrypted keychain · per-tenant KMS-wrapped

AES-256

until you remove

SMTP/IMAP credentials

Encrypted keychain

AES-256

until you remove

Email message bodies (sent + received)

Postgres

AES-256

indefinite (you delete)

LLM prompt + response logs

Postgres · stage_runs

AES-256

90 days · then anonymized

Audit log (auth + admin actions)

Append-only table

AES-256

12 months

What we do NOT store

The list that matters most.

Most trust pages skip this section. We lead with it. Because what isn't in the database is the part we can't leak.

× Your provider's API responses, raw. We keep token counts only.
× Plaintext API keys. Only KMS-wrapped ciphertext, ever.
× Email content from non-tenant inboxes. We see only what your connected mailbox sends and receives.
× Cookies for cross-site tracking. Session cookie only. Same-site, secure.
× Browser fingerprints. No canvas, no font, no WebGL fingerprinting.
× Your prospects' personal data outside what your CSV provided. We don't enrich without explicit opt-in.

Tenant isolation

Schema-per-tenant. No shared tables.

Every Paitho workspace gets its own Postgres schema. Queries can only address objects inside the schema bound to the authenticated session. Cross-tenant access requires a separate role grant that no application code holds.

postgres · paitho_main

SCHEMA: tenant_acme role: tenant_acme_app

leads · campaigns · drafts · stage_runs · audit_log

SCHEMA: tenant_beta role: tenant_beta_app

leads · campaigns · drafts · stage_runs · audit_log

SCHEMA: tenant_gamma role: tenant_gamma_app

leads · campaigns · drafts · stage_runs · audit_log

SHARED: none · application boundary enforced at session role

Boundary

Each session sets SET ROLE to the tenant role on connect. RLS policies fall back as a second line of defense.

Backups

Logical dumps per schema. Restore restores one tenant without touching others.

Export

One CLI command emits a full .sql.gz + .csv bundle of your tenant. No support ticket required.

Sub-processors

Every vendor we touch your data with.

Short list, on purpose. We add a sub-processor only when there's no defensible alternative.

Service

Used for

Notes

Hosting

Compute, network, encrypted block storage (e.g. Hetzner, OVH, AWS — final selection TBD)

region: EU/US selectable

Email transactional

Account verification, password reset, system notifications (Postmark or Resend — TBD)

never used for outbound to your prospects

Error tracking

Stack traces, performance metrics — Sentry

self-hosted option for paid tiers

LLM providers

Drafting, qualification, audit — OpenAI · Anthropic · Google

BYOK · your accounts, not ours

Enrichment providers

Contact enrichment — Apollo · RocketReach · ZoomInfo · IndiaMART · local directories. Only if you enable one.

your provider key · off by default

Sub-processor changes posted to /changelog 30 days before they take effect.

Compliance posture

Where we are. Where we're going.

No badges we haven't earned. No "compliance theater" pages. Just the actual status.

SOC 2 Type 1

in progress

Audit underway with a Big-Four-adjacent firm. Target attestation: Q3 2026.

SOC 2 Type 2

planned

Begins immediately after Type 1 attestation. 6-month observation window.

DPA

available

Standard Data Processing Addendum, including SCCs, on request. Email security@paitho.ai.

GDPR

compliant

Data residency selectable EU or US at workspace creation. DSARs handled in 30 days.

HIPAA

not certified

We are not currently a HIPAA Business Associate. If your outbound touches PHI, talk to us at security@paitho.ai before signing.

Vulnerability disclosure

Found something? Tell us.

CONTACT security@paitho.ai

WINDOW 90-day responsible disclosure. We acknowledge in 48 hours and patch in 90.

CREDIT Researchers credited in the changelog and on a public hall-of-fame page (opt-in).

BOUNTY No formal bug bounty yet. Planned for post-SOC2 Type 2.

Read the Manifesto.
Verify the posture.

Same posture, two documents. The Manifesto explains why. This page proves how.

Read the Manifesto Talk to Security

Your data. Your domains. Your keys.

Every byte, accounted for.

The list that matters most.

Schema-per-tenant. No shared tables.

Every vendor we touch your data with.

Where we are. Where we're going.

Found something? Tell us.

Read the Manifesto. Verify the posture.

Your data.
Your domains. Your keys.

Read the Manifesto.
Verify the posture.