Access control
Workspaces are protected by authenticated access. Teams can use email login and supported OAuth providers, with SSO available for enterprise customers.
Security
How we protect training data.
Pitchmaster is built for teams that practise real conversations. That means we treat recordings, transcripts, scenarios and coaching feedback as sensitive customer data.
Last updated: 2026-06-24Infrastructure
Core application infrastructure is hosted on controlled cloud infrastructure. Production access is limited to the people who need it to operate and support the service.
Data protection
Training conversations, transcripts, recordings and feedback are processed to deliver the product, stored privately and automatically deleted or scrubbed after 30 days.
Vendor review
Pitchmaster uses trusted infrastructure and AI providers. Sub-processors, transfer safeguards and processor documentation are documented for customers.
Data handling
Pitchmaster processes customer scenarios, roleplay recordings, transcripts, scores and coaching feedback so teams can practise and review spoken conversations.
Customer content remains customer content. We use it only to operate the service, generate training feedback, support the workspace, troubleshoot issues and maintain platform reliability.
Training conversations, transcripts, feedback and recordings are automatically deleted or scrubbed after 30 days. Uploads and recordings are stored privately and exposed only through authorised workflows or short-lived signed URLs where needed.
Where recordings or transcripts are processed by external AI services, this is described in the Privacy Policy and covered by the relevant processor documentation, DPAs/SCCs or equivalent contractual safeguards where required.
Authentication and permissions
Users access Pitchmaster through authenticated accounts. Organisations are responsible for inviting the right users and removing access when someone leaves the team.
Manager and admin functionality is separated from normal trainee workflows, so team-level visibility and configuration are limited to the appropriate roles.
Enterprise customers can request SSO and additional access requirements as part of their contract.
Application security
We keep the production environment separated from local development and limit access to production systems.
Security-sensitive changes are reviewed before release, and we use automated build checks before code is pushed to staging.
Error monitoring helps us identify and fix issues quickly. Sensitive user-entered text is masked or redacted from diagnostic tooling where possible.
AI and voice processing
Pitchmaster uses AI providers to run realistic voice conversations and generate coaching feedback. These providers only receive the information needed for that training workflow.
AI feedback is designed for coaching and practice. It may not be used as the sole basis for hiring, firing, promotion, salary, disciplinary, legal, financial or other high-impact decisions.
Pitchmaster is not designed for biometric identification, emotion recognition for employment decisions, social scoring or surveillance.
Privacy governance
Business customers can request a data processing agreement, the current sub-processor overview and international-transfer evidence where applicable.
For workspace training data, customers usually act as controller and Pitchmaster acts as processor unless a separate written agreement says otherwise.
Customers remain responsible for informing users, obtaining required consent and setting internal rules for how managers may use coaching feedback.
ISO 27001 readiness
Pitchmaster is not yet ISO/IEC 27001 certified. We started ISO/IEC 27001:2022 readiness on 23 June 2026 and have prepared an ISMS scope, risk register, policy set, supplier review, access review, backup/restore evidence and technical control evidence.
The paid external advisor/certification step is intentionally deferred until budget is available or an enterprise customer requires it. We do not claim ISO certification until an accredited certification body has issued a certificate.
Enterprise customers can request our current security pack, DPA, sub-processor overview and technical and organizational measures under NDA where appropriate.
Incident response
If we become aware of a security incident that affects customer data, we investigate, contain the issue and notify affected customers where required by law or contract.
Customers can report security concerns directly to our team. Please include enough detail to reproduce or understand the issue, but do not include unnecessary personal data.
Customer responsibilities
Customers should use strong passwords, manage team access carefully and make sure their users have a lawful basis for recording and processing voice training sessions.
Do not upload highly sensitive personal data unless it is necessary for the training use case and your organisation has approved that processing.
Security contact
Security questions or responsible disclosure reports can be sent to info@changemakersai.nl.
Enterprise FAQ
Answers for procurement and security reviews.
These answers summarize our current position. Detailed evidence, DPAs and provider documentation can be shared with business customers where appropriate.
Are you ISO/IEC 27001 certified?
Not yet. We have prepared ISO/IEC 27001:2022 readiness with an ISMS scope, risk register, policy set, supplier review, access review, backup/restore evidence and technical security evidence. The paid external advisor/certification step is deferred until budget is available or an enterprise customer requires it. We do not claim certification until an accredited certification body has issued a certificate.
Do you work in line with GDPR?
Pitchmaster is designed to support GDPR-aligned processing for business customers in the Netherlands and the EU. For workspace training data, the customer is usually the controller and Pitchmaster acts as processor. We maintain DPA, sub-processor, retention and technical-control evidence for customer security reviews.
Can you share a DPA?
Yes. Business customers can request a Data Processing Agreement. Our sub-processor and transfer-safeguard overview is maintained in the Privacy Policy and supporting compliance dossier.
Where is customer data hosted?
The core application, database, storage and backups run on self-hosted Supabase/Coolify on Hetzner in Germany. Some AI, speech, monitoring, scheduling, video and payment providers may process limited data outside the EU under contractual transfer safeguards.
Do you use customer recordings to train AI models?
No. Customer content, recordings, transcripts and feedback are not used to train general AI models. Pitchmaster processes this data only to provide the requested training, transcription, voice-agent, feedback, support and security workflows.
How long do you retain training conversations?
Training conversations, transcripts, feedback and recordings are automatically deleted or scrubbed after 30 days. Account data is retained while the account is active and audit logs are retained only as needed for security, compliance and troubleshooting.
Can customers export or delete data?
Yes. Users can export or delete their data via Settings → Account & privacy. Business customers can also contact info@changemakersai.nl for privacy requests, DPA questions or security review evidence.
Can managers use AI scores for HR decisions?
No. Pitchmaster is intended for training, coaching and practice feedback. Scores and AI feedback may not be used as the sole basis for hiring, firing, promotion, salary, disciplinary or similar high-impact decisions.
Do you support SSO?
SSO is available for enterprise customers as part of their contract and workspace setup.