Changelog

This page records material changes to Sales Triage Security and Transparency documentation and related security controls.

June 2026

Multi-Factor Authentication Implemented

Multi-factor authentication is now enabled for every platform user and enforced at sign-in, including for administrators:

  • each user completes a second step with an authenticator app (Authy, Google or Microsoft Authenticator) or a one-time code sent to their registered email
  • users cannot disable multi-factor authentication on their own account
  • the multi-factor system runs on our own infrastructure, not a separate third-party authentication service, and each user's authenticator secret is stored encrypted at rest
  • moved multi-factor authentication from Planned to Implemented on the continuous improvement plan, updated the Security Controls page and control summary, and answered the related due-diligence question
  • updated the Terms Annex C measures summary to list multi-factor authentication as in place (Terms v3.3.1)

Discontinued Chrome Extension Removed from Documentation

The Sales Triage Chrome extension has been discontinued and is no longer offered. Removed all references to it so the documentation reflects what we actually provide:

  • removed the Chrome extension question from Questions Clients Have Asked
  • removed the Chrome extension section from the Privacy Policy (and its mention in the scope and the Terms "Platform Services" definition), renumbering the remaining policy sections

Honesty Corrections After a Client Security Review

Following a client due diligence review, corrected and added content so the pages match what is actually built:

  • export and deletion: replaced an implied automated "export for 30 days then delete" with the honest position (founder-assisted on request today; self-serve export and automated deletion are on the improvement plan), and added a direct "how is my data deleted" answer
  • added an Article 28 / data processor answer pointing to the Data Processing Terms
  • added a Logging and Monitoring section distinguishing the operational/activity logging that exists from the security alerting and login audit trail that do not yet
  • strengthened Incident Response to address breach detection, not only notification, and the processor-to-controller notification duty
  • added planned improvements for self-serve export, automated account deletion, country-restricted (for example UK-only) access, and a login/access audit trail with security alerting

Suppliers and Infrastructure Updated

  • added Bunny.net as a subprocessor for hosting and streaming video messages
  • added Exa as a subprocessor for company discovery and news research
  • moved offsite backups from Dropbox to UK-hosted Microsoft OneDrive, so backup copies are now held in the United Kingdom
  • added Fasthosts (UK hosting) and Microsoft OneDrive (UK offsite backup) to the subprocessor list, so the providers that hold platform data are disclosed alongside the other subprocessors rather than in a separate table

Encryption Position Clarified

  • clarified that stored API credentials and integration secrets are encrypted at rest using AES-256-GCM
  • documented that full-database encryption at rest is not yet enabled
  • documented that stored OAuth mailbox and calendar tokens are not yet encrypted at the field level, and added both items to the improvement plan

Initial Security and Transparency Pages Created

Created the initial public Security and Transparency content covering:

  • current beta hosting position
  • UK hosting on Fasthosts virtual server
  • current application and database architecture
  • HTTPS/TLS
  • backup approach
  • production access
  • AI processing
  • supplier and subprocessor list
  • current limitations
  • continuous improvement plan
  • client due diligence questions

Current Beta Limitations Documented

Publicly documented current beta limitations including:

  • no full-database encryption at rest yet
  • no encryption of stored OAuth tokens yet
  • no MFA yet
  • no separate staging environment yet
  • no independent penetration testing yet
  • no ISO 27001, SOC 2 or Cyber Essentials certification yet

Continuous Improvement Plan Added

Added a public improvement plan covering priority items including:

  • full-database encryption at rest
  • encryption of stored OAuth tokens
  • MFA
  • staging environment
  • backup restore testing
  • documented RPO/RTO
  • incident response documentation
  • infrastructure resilience
  • independent penetration testing