Security

Last updated: January 15, 2025

Security Overview

At Sales Coach Pro, security is fundamental to everything we build. Your sales data, practice calls, and team information are protected with enterprise-grade security measures designed to prevent unauthorized access, data breaches, and cyber threats.

This page outlines our security practices, compliance standards, and commitment to protecting your information.

Data Encryption

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using:

  • TLS 1.3 (Transport Layer Security) protocol
  • Perfect Forward Secrecy to ensure past sessions cannot be decrypted
  • HTTPS-only connections with HSTS (HTTP Strict Transport Security)
  • Certificate pinning to prevent man-in-the-middle attacks

Encryption at Rest

All stored data is encrypted using industry-standard algorithms:

  • AES-256 encryption for database storage (Supabase)
  • AES-256 encryption for file storage (call recordings, scripts)
  • Encrypted backups with separate encryption keys
  • Key rotation policies to minimize exposure in case of key compromise

Password Protection

User passwords are protected with:

  • Bcrypt hashing with work factor 12 (industry best practice)
  • Salted hashes unique to each user
  • Password strength requirements enforced during registration
  • No plaintext storage - we never see or store your actual password

Access Controls and Authentication

Multi-Factor Authentication (MFA)

We offer optional two-factor authentication via:

  • Time-based one-time passwords (TOTP) using authenticator apps
  • SMS-based verification codes
  • Email verification for sensitive account changes

We strongly recommend enabling MFA for all team accounts.

Role-Based Access Control (RBAC)

Our platform implements granular permissions:

  • Organization Admins: Full access to team data, billing, and settings
  • Team Members: Access to their own practice calls and organization scripts
  • Row-Level Security: Database policies prevent users from accessing other organizations' data

Session Management

User sessions are protected with:

  • Automatic timeout after 30 minutes of inactivity
  • Session invalidation on password change or logout
  • Secure cookie flags (HttpOnly, Secure, SameSite)
  • Device fingerprinting to detect suspicious login attempts

Infrastructure Security

Cloud Hosting

Sales Coach Pro is hosted on enterprise-grade infrastructure:

  • Vercel: Edge network with global CDN and DDoS protection
  • Supabase: Managed PostgreSQL with automated backups and replication
  • Google Cloud Platform: AI services with SOC 2 Type II compliance

Network Security

Our infrastructure is protected by:

  • Web Application Firewall (WAF) to block malicious traffic
  • DDoS protection with automatic mitigation
  • Rate limiting to prevent abuse and brute-force attacks
  • IP allowlisting for administrative access (Enterprise plans)

Database Security

Our database layer includes:

  • Row-Level Security (RLS) policies on all tables
  • Prepared statements to prevent SQL injection
  • Automated backups every 6 hours with 30-day retention
  • Point-in-time recovery for data restoration

AI and Voice Security

Voice Data Protection

Practice call recordings are handled with care:

  • Ephemeral processing: Voice data is processed in real-time and immediately stored encrypted
  • No third-party training: Your recordings are never used to train Google's public models
  • Automatic deletion: Recordings are deleted after 12 months
  • Restricted access: Only your organization can access your call recordings

AI Model Security

Our AI integrations follow secure development practices:

  • Google Gemini API: Used via secure, authenticated endpoints
  • Prompt injection protection: User inputs are sanitized before AI processing
  • Output validation: AI responses are validated before display
  • Rate limiting: Prevents abuse of AI services

Compliance and Certifications

Current Compliance

Sales Coach Pro adheres to the following standards:

  • GDPR: General Data Protection Regulation (EU)
  • CCPA: California Consumer Privacy Act
  • HIPAA: Not currently HIPAA-compliant (do not upload protected health information)

Certifications In Progress

We are actively working toward:

  • SOC 2 Type II: Expected Q2 2025
  • ISO 27001: Expected Q3 2025

Data Residency

Data is stored in:

  • Primary region: United States (us-east-1)
  • Backups: Multi-region replication for disaster recovery
  • EU data residency: Available for Enterprise plans (contact sales)

Security Monitoring and Incident Response

Continuous Monitoring

Our security team monitors for threats 24/7 using:

  • Intrusion detection systems (IDS) to identify suspicious activity
  • Log aggregation and analysis with automated alerting
  • Anomaly detection using machine learning
  • Security information and event management (SIEM) tools

Vulnerability Management

We proactively identify and remediate security issues:

  • Dependency scanning: Automated checks for vulnerable libraries
  • Penetration testing: Quarterly third-party security audits
  • Bug bounty program: Launching Q2 2025
  • Patch management: Critical vulnerabilities patched within 24 hours

Incident Response

In the event of a security incident, we will:

  • Contain the threat within 1 hour of detection
  • Notify affected users within 72 hours
  • Provide remediation guidance and support
  • Publish post-incident reports (for significant incidents)

Employee Access and Training

Internal Security Policies

Our employees are bound by strict security requirements:

  • Background checks for all employees with data access
  • Confidentiality agreements and NDAs
  • Principle of least privilege: Employees only access data they need
  • Audit logs: All administrative actions are logged and reviewed

Security Training

All team members complete:

  • Annual security awareness training
  • Phishing simulation exercises
  • Secure coding practices (for engineers)
  • Incident response drills

Access Reviews

We regularly audit internal access:

  • Quarterly access reviews to remove unnecessary permissions
  • Immediate revocation when employees leave
  • MFA required for all internal tools

Third-Party Security

Vendor Risk Management

All third-party service providers are vetted for security:

  • Security questionnaires before engagement
  • SOC 2 compliance required for critical vendors
  • Data processing agreements (DPAs) in place
  • Annual security reviews of vendor practices

Key Service Providers

Our trusted partners include:

  • Clerk: Authentication (SOC 2 Type II compliant)
  • Supabase: Database hosting (SOC 2 Type II compliant)
  • Google Cloud: AI services (ISO 27001, SOC 2 compliant)
  • Vercel: Application hosting (SOC 2 Type II compliant)
  • Stripe: Payment processing (PCI-DSS Level 1 compliant)

Responsible Disclosure

Report a Vulnerability

If you discover a security vulnerability in Sales Coach Pro, please report it responsibly:

What to Include

When reporting a vulnerability, please provide:

  • Detailed description of the issue
  • Steps to reproduce the vulnerability
  • Potential impact and severity assessment
  • Your contact information (for follow-up)

Our Commitment

We will:

  • Acknowledge your report within 24 hours
  • Provide status updates every 72 hours
  • Credit responsible disclosure in our security advisories (if desired)
  • Not pursue legal action against good-faith security researchers

Bug Bounty Program

We are launching a public bug bounty program in Q2 2025. Security researchers who discover critical vulnerabilities will be eligible for rewards.

User Security Best Practices

While we secure our platform, your security also depends on your practices:

Account Security

  • Use a strong, unique password (not reused from other sites)
  • Enable two-factor authentication (MFA)
  • Never share your password with anyone, including support staff
  • Log out when using shared or public computers

Call Recording Compliance

  • Ensure you have legal consent before uploading real customer calls
  • Familiarize yourself with wiretapping laws in your state/country
  • Avoid uploading calls containing sensitive personal information
  • Use practice scenarios instead of real calls whenever possible

Data Protection

  • Review who has access to your organization regularly
  • Revoke access immediately when team members leave
  • Avoid storing sensitive information in sales scripts
  • Monitor audit logs for unusual activity (Enterprise plans)

Phishing Awareness

Be cautious of emails claiming to be from Sales Coach Pro:

  • We will never ask for your password via email
  • Verify sender addresses (look for @salescoachpro.com)
  • Hover over links before clicking to check the destination
  • When in doubt, contact salescoachpro@safdigital.xyz

Security Contact

For security-related questions or concerns, contact us at:

Security updates: We publish security advisories and incident reports at status.salescoachpro.com.