Your data. Protected like ours.
We built Optimize Pilot to sell into the mid-market and up. That means your security team signs off before your marketing team does. Here's every answer they need — plus the SOC 2 report, the DPA, and the subprocessor list.
The four pillars.
Your data, encrypted end-to-end.
- ▸TLS 1.3 for all data in transit — no exceptions.
- ▸AES-256 encryption at rest across every primary datastore.
- ▸Keys rotated every 90 days and managed via AWS KMS.
- ▸Zero-knowledge architecture for customer test data — we cannot decrypt without your keys.
Least privilege, always.
- ▸SSO (SAML 2.0) on Performance and Enterprise tiers.
- ▸Role-based access: Owner / Admin / Member / Report Recipient.
- ▸Magic-link auth by default — no shared passwords.
- ▸MFA available on all tiers; required on Performance and above.
Every action logged. Every action reversible.
- ▸Full audit log of every user + API action, retained 24 months.
- ▸MCP attestation signatures on every autonomous AI action.
- ▸Immutable event log — exportable for SIEM / compliance review.
- ▸Role changes, data exports, and API key creation trigger email to Owner.
Under an hour to acknowledge.
- ▸24/7 on-call engineer rotation for Sev-1 incidents.
- ▸Initial acknowledgement within 60 minutes of detection.
- ▸Customer notification within 24 hours of confirmed data incident.
- ▸Post-incident report published within 5 business days.
The full list.
Every third party that touches customer data, why they touch it, and where they operate. Changes are posted 30 days before taking effect.
Choose where your data lives.
United States
us-east-1 (primary), us-west-2 (failover)
European Union
eu-west-1 (Ireland) · Available on Performance + Enterprise
Enterprise custom
ap-southeast-2, eu-central-1, or on-request · Enterprise only
What procurement needs.
SOC 2 Type II report
Request via email — mutual NDA required. Turnaround: one business day.
Data Processing Addendum (DPA)
Auto-executed for EU / UK customers. Available on request elsewhere.
Security whitepaper
18-page deep-dive on our architecture, policies, and controls.
Privacy policy
Plain-language description of what we collect, why, and how you control it.
Questions we answer weekly.
Can we get your SOC 2 Type II report?
Yes. Request via hello@optimizepilot.com — we require a mutual NDA before sharing. Typical turnaround: one business day.
Do you sign BAAs for healthcare customers?
Yes, on Performance and Enterprise tiers. We do not currently host PHI in Launch or Growth tiers.
Do you offer a Data Processing Addendum (DPA)?
Yes — our standard DPA is auto-executed for EU / UK customers and available on request for all others.
Can we run a penetration test against your service?
Enterprise customers can run authorized pen tests with 14-day notice. Results are reviewed jointly; remediation commitments are contractually guaranteed.
Where is customer data stored?
US by default. EU residency available on Performance + Enterprise. Data never leaves the region you select.
Do AI vendors see our prompts / data?
We route through enterprise AI plans that prohibit training on customer data (Anthropic Zero Data Retention, OpenAI Enterprise). Prompts are redacted of PII before transit.
How do I request a data export or deletion?
Owner-tier users can export or delete via Settings → Data. GDPR / CCPA subject requests are processed within 30 days — email privacy@optimizepilot.com.
Do you publish a status page?
Yes — optimizepilot1.statuspage.io. Subscribe to incident + maintenance notifications via email or RSS.
Get the SOC 2 report. Get it today.
hello@optimizepilot.com · one business day turnaround. Mutual NDA first.