Security posture
GTMHack sits in the middle of your outbound revenue motion. Your prospect data, your deals, and your sender reputation flow through us. We take that seriously. This page explains how.
Foundations
Encryption
- In transit: TLS 1.3 across all endpoints, HSTS enforced, modern cipher suites only.
- At rest: AES-256-GCM on all databases, object storage, and backups.
- Secrets: managed via cloud KMS with envelope encryption; never checked into source or logged.
Tenant isolation
Every customer’s data lives behind row-level security in the primary database. Every query, whether from the app or the API, is scoped to the current workspace at the database layer — not just the application layer. That means a bug in application code cannot expose one customer’s data to another.
Human-in-the-loop by default
No outbound action — email, LinkedIn, dialer campaign, CRM write — leaves the Service without a human approving it. We ship this as a hard product constraint, not a settings toggle. Approval events are immutably logged.
Operational security
Access control
Least-privilege on everything. Production access is restricted to a small named group, requires MFA, uses ephemeral credentials, and is logged. No shared passwords, ever.
Monitoring & audit
Structured logs on every action across the platform, retained on immutable storage. Anomaly monitoring on authentication, exfiltration patterns, and unusual API usage. Alerts route to a 24/7 on-call rotation.
Vulnerability management
Automated dependency scanning on every commit. Container images rebuilt regularly against fresh base images. External security reports welcomed at security@gtmhack.ai.
Backups & recovery
Point-in-time recovery on primary databases. Cross-region backups. Restore procedures tested regularly. RPO and RTO targets defined per system.
Compliance posture
GTMHack is built in alignment with the main international standards (ISO 27001, SOC 2, UK Cyber Essentials). We do not currently hold those certifications, and we don’t claim to. Certification is on our roadmap.
- UK GDPR / EU GDPR: we operate as a compliant processor. See our DPA.
- UK data residency: primary data stored in UK/EU regions.
- Sub-processors: disclosed and updated on the DPA page.
Product-level safety
Sender health guardrails
The Deliverability engine enforces SPF, DKIM, DMARC verification before a single send. Per-domain daily caps, warmup schedules, and automatic throttling protect your reputation.
Suppression & compliance
Global suppression lists, unsubscribe handling, opt-out honouring across workspaces, and rate limits are enforced at the platform layer — not at the sequence.
Content safety
Every AI-generated draft passes a five-check validator (personalisation depth, claim safety, spam-trigger scan, link and domain hygiene, tone match) before reaching a human reviewer.
Incident response
Written IR plan, named responder rotations, and a customer notification standard: any confirmed Personal Data breach is notified to affected controllers within 72 hours where feasible, with the information reasonably available at that time.
Reporting a vulnerability
Please email security@gtmhack.ai. We commit to acknowledging every report within one working day and to a good-faith response timeline. We do not currently run a public bug bounty; we do reward material findings with credit and a small honorarium.
Talk to a human
Enterprise customers can request a security review with our team — email security@gtmhack.ai.