// Trust & Security Report

    Pitch Software GmbH logo

    Pitch Software GmbH

    Pitch: cloud presentation/slide-design workspace with Free, Plus, Team, and Business tiers, plus an AI feature (Pitch Agent) that generates on-brand slides from prompts. A public API is announced but not yet released (waitlist only at time of review).

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    "We are committed to follow and implement all the guidelines and recommendations from GDPR with regards to all the data and information we handle, process, and store." Pitch also names a Data Protection Officer (dpo@pitch.com), a Data Protection Handbook, staff GDPR training, and a pre-signed DPA with a documented sub-processor list.

    Verify on pitch.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 (Type I/II)
    NOT CONFIRMED

    no public evidence: Pitch's own Security Policy page (pitch.com/security-policy) describes TLS, AES-256 encryption, AWS hosting, and backup practices but makes no mention of a SOC 2 report or audit

    source: pitch.com
    ISO 27001
    NOT CONFIRMED

    no public evidence: not referenced on pitch.com/security-policy, pitch.com/gdpr, pitch.com/privacy-policy, or pitch.com/dpa

    source: pitch.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    no public evidence: no AI-governance certification mentioned anywhere on pitch.com's security, privacy, or DPA pages, despite Pitch actively marketing AI features (Pitch Agent)

    source: pitch.com
    HIPAA
    NOT CONFIRMED

    no public evidence: not referenced on any vendor-domain legal/security page reviewed

    source: pitch.com
    PCI DSS
    NOT CONFIRMED

    no public evidence: not referenced on any vendor-domain legal/security page reviewed; payment processing is not described as in-house

    source: pitch.com
    FedRAMP
    NOT CONFIRMED

    no public evidence: not referenced on any vendor-domain page; Pitch's hosting is described only as 'Amazon AWS, hosted in European regions' with no FedRAMP-relevant government cloud claim

    source: pitch.com
    CSA STAR
    NOT CONFIRMED

    no public evidence: not referenced on any vendor-domain page reviewed

    source: pitch.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Primary hosting in AWS eu-west-1 (Ireland) per the Security Policy and GDPR pages; the Privacy Policy separately states some processing occurs via 'service providers in the United States' under EU Standard Contractual Clauses, which is not fully reconciled with the EU-only hosting claim.

    Pitch's privacy policy confirms it uses 'tools based on large language models such as generative pre-trained transformer models ("GPT") that may be used for presentation generation, automatically annotating slide data, and converting images,' with the DPA's sub-processor list naming OpenAI OpCo LLC and Anthropic PBC as AI/ML sub-processors. Neither the privacy policy, GDPR page, nor DPA explicitly states whether customer presentation content is used to train underlying models, and no opt-out toggle or setting is documented on any public vendor page reviewed. Treat as unconfirmed rather than assume either way.

    // Security controls

    Encryption in transit

    All communications with Pitch servers use TLS; the domain is on the HSTS Preload list to force HTTPS.

    pitch.com

    Encryption at rest

    AWS AuroraDB and S3 configured with AES-256 encryption for all data at rest.

    pitch.com

    Data hosting region

    Amazon Web Services, servers located in Ireland (eu-west-1 region).

    pitch.com

    Backups

    Daily database backups retained up to 30 days, with regular recovery-exercise testing.

    pitch.com

    Vulnerability testing

    Semi-automated scanning (e.g. Burp Suite) run against new features.

    pitch.com

    Authentication

    Password/auth handling delegated to Auth0; Google OAuth sign-in is 'verified and trusted by Google.'

    pitch.com

    Sub-processor transparency

    13 named sub-processors disclosed (incl. AWS, Auth0, SendGrid/Twilio, WorkOS, OpenAI, Anthropic, fal, Algolia, MagicBell, Pusher, Mux, Imgix) with a 14-day change-notification process.

    pitch.com

    // Products & data scope

    Pitch FreePresentation creation (individual/small team)

    data: User account profile, presentation content, usage data in the shared cloud workspace.

    Unlimited presentations on the free tier; same infrastructure/security posture as paid tiers.

    Pitch Plus / Team / BusinessPresentation creation (team/enterprise, seat-based)

    data: Same data categories as Free, plus brand libraries, shared templates, viewer/engagement analytics on shared decks, and (Business) custom deal rooms.

    Pricing scales by seat count and plan; no distinct security tier disclosed for Business vs lower tiers on public pages.

    Pitch Agent (AI slide generation)Generative AI feature

    data: User prompts and possibly presentation/brand content are processed by GPT-based models via third-party sub-processors (OpenAI, Anthropic).

    Whether this content is retained or used for model training is not publicly documented; treat as an open question, not a confirmed no.

    Pitch APIIntegration/API

    data: Not yet available - homepage lists it as 'API coming soon' with an interest waitlist.

    Cannot be assessed for security posture until released; do not list as a current capability.

    // What to watch

    • Over-claim risk: third-party aggregator Nudge Security (security-profiles.nudgesecurity.com, not a vendor page) lists Pitch as 'SOC 2, PCI, HIPAA, GDPR, ISO 27001, FedRAMP, and CSA STAR Level 1 Compliant' with no supporting evidence, citation, or methodology disclosed. This directly contradicts Pitch's own Security Policy, Privacy Policy, GDPR, and DPA pages, none of which mention any of these certifications. Do not surface these badges on AIFOXX based on that source.
    • AI training posture on customer data is not publicly confirmed or denied by the vendor despite active AI feature marketing (Pitch Agent) and OpenAI/Anthropic being disclosed sub-processors.
    • Minor data-region inconsistency between the Security Policy/GDPR page (EU-only, Ireland) and the Privacy Policy (references US-based service providers under SCCs) - not necessarily wrong, but not reconciled in vendor copy.
    • Public API is pre-launch ('coming soon'), so no API-specific security/data-handling terms exist yet to assess.

    // At a glance

    Pricing model

    Freemium with paid Plus/Team/Business seat-based subscription tiers (monthly or annual billing).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Pitch Software GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    pitch.com

    > Browse all vendor trust reports