// Trust & Security Report
Pitch Software GmbH
Pitch: cloud presentation/slide-design workspace with Free, Plus, Team, and Business tiers, plus an AI feature (Pitch Agent) that generates on-brand slides from prompts. A public API is announced but not yet released (waitlist only at time of review).
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on pitch.com“"We are committed to follow and implement all the guidelines and recommendations from GDPR with regards to all the data and information we handle, process, and store." Pitch also names a Data Protection Officer (dpo@pitch.com), a Data Protection Handbook, staff GDPR training, and a pre-signed DPA with a documented sub-processor list.”
> Show 7 unconfirmed / not-held certifications
source: pitch.comno public evidence: Pitch's own Security Policy page (pitch.com/security-policy) describes TLS, AES-256 encryption, AWS hosting, and backup practices but makes no mention of a SOC 2 report or audit
source: pitch.comno public evidence: not referenced on pitch.com/security-policy, pitch.com/gdpr, pitch.com/privacy-policy, or pitch.com/dpa
source: pitch.comno public evidence: no AI-governance certification mentioned anywhere on pitch.com's security, privacy, or DPA pages, despite Pitch actively marketing AI features (Pitch Agent)
source: pitch.comno public evidence: not referenced on any vendor-domain legal/security page reviewed
source: pitch.comno public evidence: not referenced on any vendor-domain legal/security page reviewed; payment processing is not described as in-house
source: pitch.comno public evidence: not referenced on any vendor-domain page; Pitch's hosting is described only as 'Amazon AWS, hosted in European regions' with no FedRAMP-relevant government cloud claim
source: pitch.comno public evidence: not referenced on any vendor-domain page reviewed
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Primary hosting in AWS eu-west-1 (Ireland) per the Security Policy and GDPR pages; the Privacy Policy separately states some processing occurs via 'service providers in the United States' under EU Standard Contractual Clauses, which is not fully reconciled with the EU-only hosting claim.
Pitch's privacy policy confirms it uses 'tools based on large language models such as generative pre-trained transformer models ("GPT") that may be used for presentation generation, automatically annotating slide data, and converting images,' with the DPA's sub-processor list naming OpenAI OpCo LLC and Anthropic PBC as AI/ML sub-processors. Neither the privacy policy, GDPR page, nor DPA explicitly states whether customer presentation content is used to train underlying models, and no opt-out toggle or setting is documented on any public vendor page reviewed. Treat as unconfirmed rather than assume either way.
// Security controls
Encryption in transit
All communications with Pitch servers use TLS; the domain is on the HSTS Preload list to force HTTPS.
pitch.comEncryption at rest
AWS AuroraDB and S3 configured with AES-256 encryption for all data at rest.
pitch.comBackups
Daily database backups retained up to 30 days, with regular recovery-exercise testing.
pitch.comAuthentication
Password/auth handling delegated to Auth0; Google OAuth sign-in is 'verified and trusted by Google.'
pitch.comSub-processor transparency
13 named sub-processors disclosed (incl. AWS, Auth0, SendGrid/Twilio, WorkOS, OpenAI, Anthropic, fal, Algolia, MagicBell, Pusher, Mux, Imgix) with a 14-day change-notification process.
pitch.com// Products & data scope
data: User account profile, presentation content, usage data in the shared cloud workspace.
Unlimited presentations on the free tier; same infrastructure/security posture as paid tiers.
data: Same data categories as Free, plus brand libraries, shared templates, viewer/engagement analytics on shared decks, and (Business) custom deal rooms.
Pricing scales by seat count and plan; no distinct security tier disclosed for Business vs lower tiers on public pages.
data: User prompts and possibly presentation/brand content are processed by GPT-based models via third-party sub-processors (OpenAI, Anthropic).
Whether this content is retained or used for model training is not publicly documented; treat as an open question, not a confirmed no.
data: Not yet available - homepage lists it as 'API coming soon' with an interest waitlist.
Cannot be assessed for security posture until released; do not list as a current capability.
// What to watch
- Over-claim risk: third-party aggregator Nudge Security (security-profiles.nudgesecurity.com, not a vendor page) lists Pitch as 'SOC 2, PCI, HIPAA, GDPR, ISO 27001, FedRAMP, and CSA STAR Level 1 Compliant' with no supporting evidence, citation, or methodology disclosed. This directly contradicts Pitch's own Security Policy, Privacy Policy, GDPR, and DPA pages, none of which mention any of these certifications. Do not surface these badges on AIFOXX based on that source.
- AI training posture on customer data is not publicly confirmed or denied by the vendor despite active AI feature marketing (Pitch Agent) and OpenAI/Anthropic being disclosed sub-processors.
- Minor data-region inconsistency between the Security Policy/GDPR page (EU-only, Ireland) and the Privacy Policy (references US-based service providers under SCCs) - not necessarily wrong, but not reconciled in vendor copy.
- Public API is pre-launch ('coming soon'), so no API-specific security/data-handling terms exist yet to assess.
// At a glance
Pricing model
Freemium with paid Plus/Team/Business seat-based subscription tiers (monthly or annual billing).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Pitch Software GmbH's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
pitch.com