Security, Privacy and Control
Pitch Avatar includes security, privacy and control tools to keep your data safe
Infrastructure Security
- Hosted on a leading cloud infrastructure provider (AWS)
- Network and Perimeter Protection
Application Protection
- Regular Vulnerability Scanning
- Bcrypt password-hashing (resistant to brute-force search attacks)
Customer Data Protection
- Logical Tenant Separation
- Encryption In-Transit (TLS 1.2, TLS 1.3)
- Encryption At-Rest (AES-256)
Organizational Security
- 24/7 Monitoring and Incident Respons
Your data privacy
Data you store in Pitch Avatar is yours. We put our security program in place to protect it, and use it only as permitted in our Terms of Use and Privacy Policy. We never share your data across customers and never sell it.
SOC 2 and SOC 3
GDPR
Disaster Recovery
External Security Assessment
Encryption
EU Data Center
PitchAvatar RAG – Data Security and GDPR Compliance
PitchAvatar’s Retrieval-Augmented Generation (RAG) system is designed with enterprise-grade security and GDPR compliance in mind. It operates within a private AWS environment and applies modern standards for data protection, encryption, and access control.
Data Encryption
All data in transit is protected via TLS 1.2, ensuring secure communication between services and users.
Data at rest is encrypted using AES-256 (KMS).
All storage and processing take place within AWS data centers located in the EU region (eu-central-1, Germany) — supporting GDPR data residency requirements.
Access Control
Authentication is managed through secure OAuth2 / SSO mechanisms, depending on the client’s integration.
The system supports basic role-based permissions (reader / writer) to restrict user operations and data visibility.
Data Storage
Document indexes and vector embeddings are stored securely and remain within a private AWS infrastructure.
Cross-region replication is disabled to keep all data within the EU.
Data deletion (“right to erasure”) can be carried out upon client request, in accordance with the Data Processing Agreement (DPA) or Service Level Agreement (SLA).
Audit and Monitoring
The system maintains application- and infrastructure-level logs by default.
Additional detailed audit logging can be enabled in OpenSearch upon request, supporting compliance and internal monitoring.
✅ Summary
PitchAvatar RAG runs in a private, EU-based cloud environment and implements:
Encrypted data transmission and storage,
Controlled user authentication and access,
Transparent audit capabilities, and
GDPR-aligned data handling practices.
Formal GDPR documentation (including DPA) and data deletion procedures are managed in coordination with our compliance and legal teams.
Frequently Asked
Questions
PitchAvatar RAG operates in a private AWS environment with TLS 1.2 encryption for data in transit and AES-256 encryption for data at rest. All processing and storage occur within EU-based data centers (eu-central-1, Germany), ensuring full compliance with EU data protection standards. Learn more
No, PitchAvatar RAG processes data securely and stores only necessary indexes and vector embeddings to enable retrieval.
No raw documents or personal data are exposed or shared outside the client’s environment.
Clients can request full data removal at any time under the Right to Erasure provision.
All data, including indexes and embeddings, are stored in AWS data centers in Germany (EU region).
Cross-region replication is disabled, which ensures data remains within EU boundaries.
Yes. Clients can request full deletion of indexed or embedded data at any time.
Yes. PitchAvatar adheres to GDPR principles, including data minimization, encryption, access control, and transparency.
Formal GDPR documentation (including the DPA) is available through our compliance team.
No. Client data is never shared or used to train public models.
RAG only retrieves context within the client’s authorized knowledge base — responses are generated securely and on the fly.