SOC 2 Type II — independently audited
SOC 2 Type II is not a self-assessment. An independent licensed auditor reviewed our controls across Security, Availability, and Confidentiality — and verified they operated effectively over a sustained period, not just on a single day.
The full SOC 2 Type II report is available to prospects and customers on request.
Request the report →Your data is never used to train AI models
PitCrew uses large language models to power its agents. Here is exactly how your data is handled — and what we guarantee about it.
No model training
Your client data, workflows, and outputs are never used to train, fine-tune, or improve any AI model — by PitCrew or any third-party model provider in our stack.
Stateless inference
All LLM calls are stateless. No prompt, input, or output is retained by the model provider beyond the duration of the request. Every call starts fresh.
Zero data retention
Customer data is processed in memory during workflow execution and not stored after completion. Data is removed from PitCrew systems upon customer request or per contract terms.
Human in the loop
Agents prepare work and surface outputs for human review. No action is taken on your systems without a person approving it first. Every decision is logged and auditable.
Built on AWS with enterprise-grade controls
PitCrew runs entirely on Amazon Web Services with no physical servers. All infrastructure is cloud-native, monitored continuously, and isolated by environment.
Encryption everywhere
AES-256 encryption at rest via AWS KMS. TLS 1.2+ for all data in transit. No plaintext data paths.
Network isolation
Production runs inside a VPC with private subnets for application and database tiers. Public subnets for load balancers only. Firewall rules enforced by AWS security groups.
Multi-AZ redundancy
Active-standby deployment across two AWS availability zones. Automatic failover. Data replicated synchronously across zones.
Continuous monitoring
Server performance, network traffic, and security events monitored continuously. Vulnerability scans before every production release.
Disaster recovery
Business continuity and disaster recovery plans documented and tested. Service restoration to maximum capacity within defined recovery time objectives.
Access controls
Principle of least privilege enforced. Access credentials issued and reviewed at predefined intervals. MFA required for all employee access to production systems.
Security is an organizational practice, not just a technical one
Request our SOC 2 report
Share your work email and we'll send the full SOC 2 Type II report. Available to prospects and customers with a corporate email address.