Security

Built for the AEs who can’t afford to leak data.

Sales conversations contain your most sensitive information: pricing, pipeline, and everything a competitor would love to read. Jake is designed so none of that leaks - to models, to other customers, or anywhere else.

Your data never trains a model

Jake uses the Anthropic API exclusively for inference - generating a result for you, then discarding the context. Every call is to messages.create; no fine-tuning, no training datasets, no model-improvement pipelines. We verified this in code: the codebase contains zero calls to any training or fine-tuning API.

This matters because your deals contain commercial terms, customer pain points, and competitive intelligence. None of that should end up in a shared model. Under our agreement with Anthropic, your data is not retained after the API call returns.

Read-only on your CRM and inbox

Jake requests the minimum OAuth scopes necessary to read your pipeline and conversations - nothing more. No write access is requested unless you explicitly approve an update.

Gmail

gmail.readonly

Outlook (Microsoft Graph)

Mail.Read, User.Read, offline_access

Salesforce

api, refresh_token, offline_access (read-only usage)

HubSpot

crm.objects.deals.read, crm.objects.contacts.read, crm.objects.companies.read, crm.schemas.deals.read

Pipedrive

deals:read, contacts:read, recents:read

Slack (outbound only)

chat:write, im:write, users:read

Row-level database security

Every table is protected by row-level security enforced in the database itself, not just in application code. A bug in the app cannot expose another rep’s deals - the data layer rejects the query before it executes.

  • AEs read and write only their own deals, MEDDPICC, and transcripts
  • Managers get read-only visibility into their team - nothing beyond it
  • Accounts are team-scoped; deals are individual-scoped
  • Service-role database access is restricted to three explicit paths: the digest cron, integration syncs, and platform admin routes - each of which auth-checks the caller before bypassing RLS

Audit trail and GDPR

Every time a platform administrator views an account on your behalf, it is recorded in an immutable audit log - who accessed, when, and why. The log cannot be edited or deleted from the application.

  • Data hosted in EU/UK infrastructure
  • Account deletion: data removed within 24 hours of a written request to hello@tryjake.com
  • Right to access and portability available on request
  • Security contact: security@tryjake.com

SOC-2 status: in progress

We are not yet SOC-2 Type II certified and will not claim otherwise. The controls that underpin it - security headers (HSTS, frame-denial, MIME-sniffing protection), rate limiting on public endpoints, impersonation audit logging, and row-level security - are all live in production. The formal audit process is on the roadmap for later this year.

If you need SOC-2 reports today for a procurement process, reach out to security@tryjake.com and we will share what we have and where we stand.

Application hardening

Security headers

HSTS, X-Frame-Options: DENY, X-Content-Type-Options, strict referrer policy - all live on every route.

Rate limiting

Fixed-window limits on public endpoints (5/hr per IP, 200/hr global). Auth routes use Supabase magic-link OTP.

Encrypted in transit and at rest

All traffic is TLS-only. Supabase enforces encryption at rest for all stored data including integration tokens.

OAuth state binding

Every connector OAuth flow uses an HMAC-signed, 10-minute state token with identity binding - a forged callback for a different user is rejected.

Questions about our security posture?

If you are running a procurement process or security review, contact us directly. We will provide the evidence you need.

Contact security@tryjake.com