Trust

Security posture

Last updated: 10 July 2026

GTMHack sits in the middle of your outbound revenue motion. Your prospect data, your deals, and your sender reputation flow through us. We take that seriously. This page explains how.

Foundations

Encryption

Tenant isolation

Every customer’s data lives behind row-level security in the primary database. Every query, whether from the app or the API, is scoped to the current workspace at the database layer — not just the application layer. That means a bug in application code cannot expose one customer’s data to another.

Human-in-the-loop by default

No outbound action — email, LinkedIn, dialer campaign, CRM write — leaves the Service without a human approving it. We ship this as a hard product constraint, not a settings toggle. Approval events are immutably logged.

Operational security

Access control

Least-privilege on everything. Production access is restricted to a small named group, requires MFA, uses ephemeral credentials, and is logged. No shared passwords, ever.

Monitoring & audit

Structured logs on every action across the platform, retained on immutable storage. Anomaly monitoring on authentication, exfiltration patterns, and unusual API usage. Alerts route to a 24/7 on-call rotation.

Vulnerability management

Automated dependency scanning on every commit. Container images rebuilt regularly against fresh base images. External security reports welcomed at security@gtmhack.ai.

Backups & recovery

Point-in-time recovery on primary databases. Cross-region backups. Restore procedures tested regularly. RPO and RTO targets defined per system.

Compliance posture

GTMHack is built in alignment with the main international standards (ISO 27001, SOC 2, UK Cyber Essentials). We do not currently hold those certifications, and we don’t claim to. Certification is on our roadmap.

Product-level safety

Sender health guardrails

The Deliverability engine enforces SPF, DKIM, DMARC verification before a single send. Per-domain daily caps, warmup schedules, and automatic throttling protect your reputation.

Suppression & compliance

Global suppression lists, unsubscribe handling, opt-out honouring across workspaces, and rate limits are enforced at the platform layer — not at the sequence.

Content safety

Every AI-generated draft passes a five-check validator (personalisation depth, claim safety, spam-trigger scan, link and domain hygiene, tone match) before reaching a human reviewer.

Incident response

Written IR plan, named responder rotations, and a customer notification standard: any confirmed Personal Data breach is notified to affected controllers within 72 hours where feasible, with the information reasonably available at that time.

Reporting a vulnerability

Please email security@gtmhack.ai. We commit to acknowledging every report within one working day and to a good-faith response timeline. We do not currently run a public bug bounty; we do reward material findings with credit and a small honorarium.

Talk to a human

Enterprise customers can request a security review with our team — email security@gtmhack.ai.