Security is very important to Pitch and everyone here is doing their best to keep your presentations and data secure. This document describes our internal security policies and how those translate into creating a secure platform that you can trust.
You can read our Data Processing Agreement in full as a recap.
We are committed to follow and implement all the guidelines and recommendations from GDPR with regards to all the data and information we handle, process, and store at Pitch.
All of Pitch infrastructure runs in Amazon AWS, hosted in European regions. You can find more information about AWS security practices on their cloud security page.
We use different Amazon AWS services, such as AuroraDB and S3, and we configured them to use AES-256 encryption for all data at rest.
We like to keep our data organized, and for that we created different categories on which all Pitch's data needs to be categorized. The categories define who can access it and which level of monitoring they receive:
All communications with Pitch servers is done over TLS. We do this so no one can eavesdrop on communications between your machine and our application. To ensure the maximum protection for every user, we have added our domain to the HTST Preload list, which will ensure browsers do not connect to our application if it is not over HTTPS.
At Pitch we inspect closely any code before it is release. Our developers inspect the logic and information flows of each new feature to ensure no security vulnerabilities are introduced. But because humans aren't perfect we also write tests to ensure the application does not behave in an unexpected way.
We also run semiautomatic scanning tools, like Burp Suite, for new features to find any security problems.
We partner with Auth0 for the authentication of our users. They offer a robust solution to ensure our users' passwords are stored securely and an OAuth solution so users can sign in with their Google accounts. Read more about it here: https://auth0.com/security
To not reinvent the wheel, we use third-party libraries to make our application better every day. Of course, it is never as simple as using a component and then forgetting about it, so at Pitch we review and monitor our third-party components for known vulnerabilities using automatic systems like Dependabot. Each report is analyzed and acted on based on the criticality of the vulnerability, with a response time from one day for critical vulnerabilities to eight days for medium risk vulnerabilities (as defined by their CVSS score).
Inside our Amazon AWS infrastructure we segment our network into different areas, decoupling our production environments from our testing and development environments.
We use Datadog monitoring services to alert us on any anomalous behaviour in our infrastructure. We also use Amazon AWS Cloudtrail to monitor any suspicious activity within our backend systems.
As listed in our website, we have integrations with other services so the experience at Pitch gets enriched. You can verify in that page their respective licenses.
For our Google integrations we follow their security requirements for OAuth API and our solution is verified and trusted by Google.
Our systems monitor for anomalous and suspicious activity across the different systems we use to run the platform. These events are fed into a central dashboard that provides us with an overview of how every component is behaving and alerts us if a problem is detected.
Each and every incident at Pitch goes through the same rigorous internal incident management process. This allows us to ensure no stone is left unturned and the root cause of the incident is resolved. The process also describes how to escalate and communicate these incidents to the different parties involved.
We maintain and regularly update an internal Threat Model of our infrastructure, assets, and application. We define the type of data and risk that each component is exposed to and how we protect these. This help us in segregating our infrastructure and maintaining a minimum access policy approach.
Pitch's infrastructure is built on top of Amazon AWS and we use their services to generate daily backups for our database that are then retained for up to 30 days. To ensure data recovery process is working as intended, we execute data recovery exercises regularly.
We perform periodic risk analysis and assessments to ensure that our information security policies and practices meet the requirements and applicable regulatory obligations.
We always appreciate when Pitch users and security researchers contact us regarding security vulnerabilities. You can reach us at firstname.lastname@example.org and read our full policy at Security Vulnerability Disclosure Policy.
Absolutely! While the Pitch application is written mostly with Clojure, we use lots of more widely-known libraries and languages (e.g. React.js) as well. Every engineer who joins without prior knowledge of Clojure can expect extensive mentorship, time, and resources to learn Clojure and our codebase before diving into the deep-end.
Yes, of course. Pitch wants to hire the best and brightest regardless of where they're based geographically. On occasion, teams have a preference for candidates whose working hours overlap with the rest of their team, but there is always flexibility.
No. While we do have an office in Berlin, physical presence there is 100% optional.
Absolutely, feel free to submit a speculative application.
We do our best to get back to all applicants within one week of their applications. That being said, the application review process has lots of moving parts and depends on the availability of our hiring teams, holidays, and other unpredictable factors. We do our best, but appreciate your patience if it takes >1 week to respond to you.
Given the high volume of applications we receive, it's not possible for us to give tailored feedback to candidates who aren't selected for first-stage interviews. If you do progress beyond the first-stage interview, however, we try to give specific, tailored feedback should there not be a fit.
The typical Pitch interview processes consists of the following steps, all of which are conducted remotely.
We process and store all data in accordance with GDPR standards. You can request to have your data deleted at any time after applying and we will action this request within 1-2 days.
The average recruitment process lasts between 4-5 weeks to get through all the stages, although there's some variability depending on availability on both the hiring team and candidate side.
The short answer is 'no'. We practice asynchronous communication.
Yes, one might miss having the office as an anchor, or the occasional water-cooler chat with colleagues. But 100% remote work doesn't have to be disengaged and disconnected! At Pitch, we put a lot of emphasis on connecting (not just about work!) through virtual coffee chats, catch-ups via Zoom (as and when needed)... and Slack shenanigans. Additionally, we are big fans of team offsites, yearly company get togethers, and Weekly Bulletins (our async alternative to All-Hands). We believe remote working empowers you to work autonomously and flexibly on something you believe in, and your colleagues are only a Slack away for a second opinion, cheering up, and various meme shenanigans.