Security
How Pitlane keeps your shop’s data safe.
The honest list of every meaningful technical control that protects your shop’s data, your customers’ data, and the AI prompts your team sends through PitCrew. Updated when anything changes — never as marketing copy, only as documentation.
Technical controls
The six controls that matter most.
Every SaaS tool ships the same marketing-page list (“encrypted! cloud-native! SOC 2 ready!”). Here’s what actually exists in the code.
Row-level data isolation per shop
Every database read and write goes through a Prisma tenant-scoped extension that injects the current shop's ID into every query. A bug that would normally cross-contaminate data between shops fails closed at the query layer instead.
Encryption at rest and in transit
Supabase Postgres encrypts data at rest. All web traffic is HTTPS-only and forced to TLS 1.2+; HSTS is set on every response. Twilio per-shop credentials are encrypted with AES-256-GCM before they hit the database.
Auth handled by Supabase
Pitlane never stores passwords. Authentication is delegated to Supabase Auth, which stores credentials with bcrypt (cost factor 10) inside the managed Supabase Postgres instance. Sessions use short-lived JWTs (1-hour) plus a rotating refresh token in HttpOnly cookies.
Zero-retention AI prompts
PitCrew AI calls the Anthropic API in zero-retention mode — prompts and completions aren't stored or used for model training. Your shop's customer data, RO notes, and review-reply drafts never become anyone's training set.
Carrier-registered SMS (A2P 10DLC)
Two-way SMS runs over Twilio with carrier-registered A2P 10DLC brand and campaign approvals at the shop level. STOP / HELP keywords are auto-handled and unsubscribes are honored across the shop's number per TCPA requirements.
Strict CSP with nonce-only scripts
Every HTML response carries a per-request CSP nonce; only scripts stamped with that nonce execute. The script-src directive forbids 'unsafe-inline' and 'unsafe-eval'. XSS bypasses that work on most SaaS apps don't reach the browser here.
Your data, your call.
Vendor lock-in is a security risk in itself. Every Pitlane account has the same four rights, the same way, in one click.
Export everything
Settings → Account → Export. One-click ZIP of every contact, vehicle, service record, estimate, invoice, payment, review, message, and template — across 21 CSVs. Streams to your browser; the database isn't touched on the read path.
Cancel and delete
Cancel from Settings → Billing in one click. Access continues through the end of the billing period, then your data is permanently deleted from production. Backups roll off within 30 days. No retention pressure, no save-the-account workflow.
We don't sell or share data
Pitlane has zero ad-data partners and zero data-broker relationships. Your customer list is your customer list; we don't enrich it, sell it, or syndicate it. The privacy policy is the operative document.
Audit log of sensitive actions
Login, password change, data export, account deletion, billing change, MFA enrollment, and API key creation all write audit records. Visible in Settings → Account.
Found a vulnerability?
Email support@usepitlane.com with the details. Critical issues get acknowledged within 24 hours and a fix timeline within 72 hours. We don’t run a bounty program yet — when shops on Pitlane reach the size where one is justified, we’ll launch one. Until then, responsible disclosure gets a written thank-you and credit in the commit message.
Please don’t test against production data without permission. Shops trust us with their customer lists; a blind pen test against the live database isn’t the right path. Email first, and we’ll set up a sandbox.
Questions shop owners actually ask.
Is Pitlane SOC 2 compliant?
Pitlane runs on SOC 2 Type II–compliant infrastructure (Vercel for compute and edge, Supabase for the database, AWS for the underlying VPC). Pitlane's own SOC 2 audit is on the roadmap as customer demand reaches the size that justifies the audit cost. The technical control inventory is on this page; the audit log of what shipped when lives in the trial dashboard once you're signed in.
Where does my data live?
Inside the United States. The Pitlane application runs on Vercel's US-based regions; the database runs on a Supabase project in us-east-1. Backups stay in-region. There is no offshore data processor in the path.
How is PitCrew AI not training on my shop's data?
PitCrew calls the Anthropic API with the zero-retention configuration enabled at the workspace level. Anthropic's documented commitment for zero-retention API traffic is that prompts and completions are not retained beyond the request lifecycle and are not used for model training. We pass user prompts and shop-context strings; we don't send credentials, payment details, or PII beyond what's necessary for the writing task.
What happens if Pitlane gets breached?
The disclosure plan: identify the scope, notify affected shops within 72 hours of confirming the breach, then send a public post-mortem within two weeks describing what happened and what changed. We follow the standard notification timeline most state-level breach laws require, applied across all shops regardless of state.
What about HIPAA?
Pitlane is for auto repair shops, which are not HIPAA-covered entities. We don't sign BAAs and we don't market into healthcare. Customer health information shouldn't flow through Pitlane — and there's no shop workflow where it should.
See the controls run on your real data.
30 days, no credit card. The strongest security signal is watching the controls work on your own shop’s customer list — not reading about them.