Paitho
Trust

Your data.
Your domains. Your keys.

Paitho is built on a simple posture: we touch nothing you don't own. This page lists exactly what we store, where, and for how long.

BYOK by default Per-customer Docker isolation Data export anytime No third-party ad/analytics trackers
What we store

Every byte, accounted for.

No hand-waving. Six categories, four columns. If it isn't on this list, we don't store it.

Data type
Where
Encryption
Retention
Lead records
Postgres · inside your Docker
AES-256 at rest · TLS in transit
indefinite (you delete)
LLM provider keys (BYOK)
Encrypted keychain · pgp_sym_encrypt + your PG_PASSPHRASE
AES-256
until you remove
SMTP/IMAP credentials
Encrypted keychain
AES-256
until you remove
Email message bodies (sent + received)
Postgres
AES-256
indefinite (you delete)
LLM prompt + response logs
Postgres · stage_runs
AES-256
90 days · then anonymized
Audit log (auth + admin actions)
Append-only table
AES-256
12 months
What we do NOT store

The list that matters most.

Most trust pages skip this section. We lead with it. Because what isn't in the database is the part we can't leak.

  • × Your provider's API responses, raw. We keep token counts only.
  • × Plaintext API keys. Only customer-encrypted ciphertext at rest, ever.
  • × Email content from non-tenant inboxes. We see only what your connected mailbox sends and receives.
  • × Cookies for cross-site tracking. Session cookie only. Same-site, secure.
  • × Browser fingerprints. No canvas, no font, no WebGL fingerprinting.
  • × Your prospects' personal data outside what your CSV provided. We don't enrich without explicit opt-in.
Customer isolation

Docker-per-customer. Customer-encrypted Postgres at rest.

Each paying customer runs their own Docker — own app process, own Postgres, own subdomain. Sensitive columns are encrypted at rest with your customer-held PG_PASSPHRASE via pgp_sym_encrypt(). Paitho operates the orchestration layer but does NOT hold your passphrase. Even compelled disclosure of disk images yields ciphertext — Paitho's operations stack architecturally cannot read your data.

customer browser → {tenant}.paitho.ai → isolated Docker
DOCKER: acme.paitho.ai PG_PASSPHRASE: customer-held
app + own Postgres · encrypted at rest · own BYOK keychain · own brands
DOCKER: beta.paitho.ai PG_PASSPHRASE: customer-held
app + own Postgres · encrypted at rest · own BYOK keychain · own brands
DOCKER: gamma.paitho.ai (agency) PG_PASSPHRASE: customer-held
app + own Postgres · multi-workspace inside {client_a, client_b, client_c} · per-workspace data scope
PAITHO-SIDE SHARED: marketplace.paitho.ai + licenses.paitho.ai · billing metadata only · zero customer data
Boundary
Separate containers, separate Postgres processes, separate filesystems, separate encryption keys. Cross-customer access requires a kernel exploit + the target customer's passphrase. Both barriers live outside Paitho's control.
Backups
Per-Docker logical dumps shipped encrypted. Paitho is the courier — Paitho can't read the cargo. Your call where to send them (your S3, your Backblaze, your basement NAS).
Export
docker save | gzip | scp — and you walk away with everything. No vendor lock-in. No support ticket.
Self-host option
Same image runs in your own infra. Available on Enterprise tier today; planned for Agency tier post-GA.
Sub-processors

Every vendor we touch your data with.

Short list, on purpose. We add a sub-processor only when there's no defensible alternative. Paitho-side sub-processors that touch your DATA: none. The container model means your lead data, email content, and BYOK keys never leave your Docker. The Paitho-side services below see only billing + license metadata.

Service
Used for
Notes
Hosting
Compute, network, encrypted block storage (e.g. Hetzner, OVH, AWS — final selection TBD)
region: EU/US selectable
Email transactional
Account verification, password reset, system notifications (Postmark or Resend — TBD)
never used for outbound to your prospects
Error tracking
Stack traces, performance metrics — Sentry
self-hosted option for paid tiers
LLM providers
Drafting, qualification, audit — OpenAI · Anthropic · Google
BYOK · your accounts, not ours
Enrichment providers
Contact enrichment — Apollo · RocketReach · ZoomInfo · IndiaMART · local directories. Only if you enable one.
your provider key · off by default

Sub-processor changes posted to /changelog 30 days before they take effect.

Compliance posture

Where we are. Where we're going.

No badges we haven't earned. No "compliance theater" pages. Just the actual status.

SOC 2 Type 1
in progress

Audit underway with a Big-Four-adjacent firm. Target attestation: Q3 2026.

SOC 2 Type 2
planned

Begins immediately after Type 1 attestation. 6-month observation window.

DPA
available

Standard Data Processing Addendum, including SCCs, on request. Email security@paitho.ai.

GDPR
compliant

Data residency selectable EU or US at workspace creation. DSARs handled in 30 days.

HIPAA
not certified

We are not currently a HIPAA Business Associate. If your outbound touches PHI, talk to us at security@paitho.ai before signing.

Vulnerability disclosure

Found something? Tell us.

CONTACT security@paitho.ai
WINDOW 90-day responsible disclosure. We acknowledge in 48 hours and patch in 90.
CREDIT Researchers credited in the changelog and on a public hall-of-fame page (opt-in).
BOUNTY No formal bug bounty yet. Planned for post-SOC2 Type 2.
All systems operational
Real-time uptime, incident history, scheduled maintenance.
status.paitho.ai

Read the Manifesto.
Verify the posture.

Same posture, two documents. The Manifesto explains why. This page proves how.

Read the Manifesto Talk to Security