Security

Last updated: June 27, 2026

We take the security of your account and your decks seriously. This page describes how Life is a Pitch, operated by DeepMyst, Inc., protects your data. It describes our current practices and is provided for transparency; it is not a contractual commitment and may evolve as our Services and the threat landscape change. Enterprise customers can request additional detail and a signed Data Processing Agreement (see Enterprise below).

Infrastructure

Life is a Pitch runs on a small set of reputable managed providers: Render (application hosting and managed PostgreSQL), Cloudflare R2 (object storage) with Cloudflare for DNS and edge, Clerk (authentication), and Stripe (payments). We rely on these providers for physical and network security at the infrastructure layer and deliberately keep our footprint small to reduce attack surface.

Encryption

All connections to the Services use TLS (HTTPS), so data is encrypted in transit. Data is stored on managed databases and object storage that encrypt data at rest. Card data is encrypted and handled within Stripe's environment, never on our own systems.

Authentication and access control

• Authentication is handled by Clerk, and user sessions are backed by short-lived session tokens.
• Service-to-service calls use scoped, least-privilege API keys rather than broad, shared credentials.
• Access to production systems and data is limited to the people who need it to operate and support the Services.

Application security and tenant isolation

Your decks and account data are scoped to your account. The Services enforce per-account ownership checks before returning or modifying your content, so one account cannot access another account's data through the application.

Logging, monitoring, and alerting

We log application and infrastructure events to detect, investigate, and respond to issues, and we monitor the Services so we can be alerted to errors and anomalies that may indicate a security or reliability problem.

Backups and resilience

We rely on our managed database provider for regular, encrypted backups of the production database, which support recovery in the event of data loss or an outage.

Payments

Card payments are processed by Stripe. We never see or store full card numbers; card data is handled within Stripe's PCI-compliant environment, and we receive only limited details needed to operate billing (such as plan, payment status, and the card brand and last four digits).

Sub-processors

We use a small set of vetted sub-processors to run the Services, each selected for its security practices. The current list, with the purpose and location of each, is in our Privacy Policy.

Incident response and breach notification

If we become aware of a security incident affecting personal data, we will investigate promptly, take steps to contain and remediate it, and notify affected users and, where we act as a processor, the relevant controllers, without undue delay and as required by applicable law. We will provide the information needed to understand the incident and to meet any notification obligations.

Responsible disclosure

We welcome responsible disclosure. Email admin@deepmyst.comwith a description and reproduction steps, and we will acknowledge your report within 2 business days. Please act in good faith: do not access, modify, or destroy other users' data, do not degrade or disrupt the Services, and give us reasonable time to investigate and fix an issue before disclosing it publicly.

Enterprise

Enterprise customers can request a security overview and a signed Data Processing Agreement. See our DPA page or email admin@deepmyst.com.