Security

Last updated: 27/10/2025

At Pitch Time, we protect data with layered controls focused on confidentiality, integrity, and availability.

Organisational practices

Access control

Least-privilege; MFA/SSO for staff; role-based permissions.

Vendor management

DPAs and transfer safeguards (see /subprocessors).

Training

Security & privacy training for staff with data access.

Change management

Code review and tracked releases.

Data protection

Encryption in transit

TLS 1.2+ for all public endpoints.

Encryption at rest

Provider-managed encryption for databases/storage/backups.

Segregation

Logical tenant separation.

Application security

Secure development

Dependency scanning, code review, secret management.

Vulnerability management

Regular patching; prioritised remediation.

Rate-limiting & monitoring

Abuse protection; logging/alerting.

Infrastructure & reliability

Backups & DR

Regular backups; tested restoration; DR runbooks.

Availability

Cloud-hosted infra designed for high availability.

Incident response

On-call rotation; documented IR process; post-incident reviews.

Data retention & deletion

We retain customer data for the subscription term and as required by law. On request or contract end, we delete or return data per the DPA.

Responsible disclosure

Report suspected security issues via our contact page (include steps to reproduce and potential impact). We will acknowledge, investigate, and provide updates.

Questions about our security practices? Contact us