Last updated: April 20, 2026

Security at Catch

Catch reads your team’s email, calendar, and CRM data to extract the commitments your reps make to customers and surface where execution breaks down. Catch is designed for revenue execution workflows; we ingest only the systems and content required to identify commitments and track follow-through. Because we analyze your content, we cannot end-to-end encrypt it. No AI product that analyzes customer data can. What we can do is make access to your data rare, controlled, logged, and revocable. This page explains how, in plain language, without the marketing phrases that tend to collect on security pages.

If you have a question that isn’t answered here, email security@usecatch.io.

Security at a glance

  • TLS 1.2+ in transit
  • AES-256 encryption at rest
  • OAuth credentials additionally encrypted at the application layer before storage
  • Multi-factor authentication required for production access; hardware security keys on highest-privilege accounts
  • Workspace isolation enforced via workspace identifiers and database row-level security, designed to prevent cross-workspace access even if application logic fails
  • Connector disconnection with token revocation for supported OAuth integrations
  • 72-hour incident notification commitment
  • Customer data stored in the United States
  • LLM processing via Anthropic; customer content is not used to train AI models, by Anthropic, by Catch, or by any third party

What data we collect

When you connect Catch to your workflow, we ingest:

  • Email from connected Gmail or Microsoft 365 accounts: metadata (sender, recipient, timestamps, subject lines) and message bodies
  • Calendar events: meeting titles, attendees, times, descriptions
  • Call transcripts: if you connect a call recording tool (Gong, Chorus, Zoom, Fathom, or similar)
  • Slack messages: if you connect Slack, messages in channels you grant access to
  • CRM deal data: from HubSpot, Salesforce, or other connected CRMs: deal names, amounts, stages, contacts
  • Workspace metadata: the users in your workspace, their roles, the systems you've connected

We only ingest what’s necessary to identify commitments and track their follow-through. We do not crawl content unrelated to sales execution.

From the ingested content, we extract:

  • Commitments: things your reps have said they'll do, with quotes and evidence
  • Execution context: which deal the commitment relates to, who owns it, when it's due
  • Outcomes: whether the commitment was followed through, missed, or still open

The extracted structured data is what powers your dashboard and audit reports. The raw ingested content is used to produce that structured data and to provide evidence excerpts in your reports.

How we protect your data

In transit. All communication between your browser, Catch’s servers, and our connected services uses TLS 1.2 or higher.

At rest. All data is encrypted at rest by our infrastructure providers using AES-256.

OAuth credentials. The tokens we hold to access your Gmail, CRM, and other connected services are additionally encrypted at the application layer before storage. Even with direct database access, the tokens cannot be used to access your connected accounts without a separate encryption key held only in our application environment.

Workspace isolation. Every piece of customer data is tagged with a workspace identifier, and row-level security policies at the database layer are designed to prevent cross-workspace access even if application logic fails. Every new database migration is validated in continuous integration to confirm row-level security is defined where required. No code path in our system aggregates customer data across workspaces for cross-customer analysis.

Production access control. Production systems are accessible only to the Catch team. All access requires multi-factor authentication, with hardware security keys on the highest-privilege accounts (GitHub, Vercel, Railway, Supabase, Google, domain registrar).

Environment isolation. Our preview and development environments are prevented at startup from connecting to production databases. A misconfiguration that would link a preview environment to production credentials fails the application startup rather than booting with the wrong data.

Honest limitations

We believe in telling you what our security model cannot do, not just what it can:

  • We can read your data. Our product analyzes your email, transcripts, and CRM data to produce commitments and audit reports. The Catch team has the technical ability to view raw customer content during engineering, debugging, or audit generation. In practice most internal views show extracted commitments only, not raw source content, and we are actively narrowing the set of surfaces where raw content is accessible at all. But we cannot honestly tell you we are incapable of viewing your data. Any product making that claim while offering AI analysis is not being accurate.
  • Anthropic sees your content during processing. Your email bodies and call transcripts are transmitted to Anthropic's API for commitment extraction. Anthropic does not train on API data, but the content does pass through their infrastructure while being processed.
  • We are not yet SOC 2 certified. We are building the controls and evidence that will support certification when we reach the stage where it's valuable to our customers. We will not claim the certification until it is real.
  • Catch is currently operated by a small team, and production access is limited accordingly. We mitigate this with MFA, hardware security keys on high-privilege accounts, audit logging, and a commitment to publish team-access changes as we grow.

Who can access your data

By default: only you and the users you invite to your workspace see your workspace’s data through the product. Other Catch customers never see your data.

Catch team access: limited today to Eric Pereira, founder. Administrative access is used only for engineering, debugging, security response, and customer-requested operational tasks. As we hire team members with production access, we will maintain a public list at usecatch.io/security#who-can-access.

Third parties: only the subprocessors listed below, each for the specific purpose described.

What we do not do

  • We do not sell customer data, ever
  • We do not use customer content to train our own models
  • We do not use the Anthropic API in a configuration that contributes customer data to Anthropic's model training
  • We do not grant subprocessors access broader than required for their specific role
  • We do not share customer data with advertising networks or marketing analytics platforms

How Catch improves over time without training on your data

Catch uses Anthropic’s Claude as our AI inference engine. We do not operate a proprietary AI model, and we do not fine-tune, train, or update any model using customer content. This is both our current architecture and our committed product principle.

Our product improves through four mechanisms, none of which involve training a model on customer data: we refine the prompts we send to Claude based on observed extraction quality; we adjust heuristics and confidence thresholds in our processing pipeline; we add product features based on aggregated usage patterns; and we improve how we construct context for Claude’s extraction calls.

All of these improvements apply equally across customers in the next release. They are not personalized to any individual customer’s data, nor do they cause one customer’s data to surface in another customer’s experience. Within your workspace, your data drives your commitments and audits. Across workspaces, nothing is shared. If we ever propose changing this architecture in a way that would affect this commitment, we would communicate it to customers in advance.

Retention and deletion

Data typeRetention
Raw email bodies90 days after ingestion (target policy; currently being implemented)
Call transcripts90 days after ingestion (target policy; currently being implemented)
Extracted commitments and audit artifactsFor the lifetime of your workspace
OAuth tokensUntil you disconnect the integration
Application logs30 days
Security and audit logs2 years (operational metadata; never includes raw customer content)
Backups30 days rolling

When you delete your workspace, customer content is purged within 30 days of the deletion request. Security and audit logs may retain limited operational metadata (workspace ID, action timestamps, administrator identity) per the retention schedule above; these logs never include raw customer content such as email bodies or transcripts.

Your controls

Disconnect any integration. For supported OAuth-based connectors, disconnection from your workspace settings revokes our stored tokens and stops further data ingestion from that service. Disconnection is recorded in your workspace’s activity history.

Export your data. You can request an export of your workspace’s commitments, audit reports, and associated metadata by emailing security@usecatch.io. We deliver exports in a structured format within 14 days. Self-service export from workspace settings is on our active roadmap.

Delete your workspace. You can request workspace deletion by emailing security@usecatch.io. Deletion proceeds in two stages: a 30-day soft-delete period during which you can recover if the request was accidental, followed by a hard-delete that purges all your customer content from our production systems.

Request a data report. You can ask for a summary of everything we have about your workspace at any time by emailing security@usecatch.io. We respond within 14 days.

Incident response

Our commitment: If we confirm a security incident affecting your data, we will notify you within 72 hours. The notification will describe what we know, what we’re doing about it, what data was affected, and what (if any) action is recommended on your end.

Our process:

  1. 1Detect: via automated alerts, customer reports, or internal review
  2. 2Contain: pause affected systems, preserve evidence, prevent further exposure
  3. 3Investigate: determine scope, cause, and affected customers
  4. 4Notify: affected customers within 72 hours of confirmation
  5. 5Remediate: fix the underlying issue, rotate compromised credentials
  6. 6Review: write a post-mortem, add controls to prevent recurrence

We would rather over-notify than under-notify. If we notify you about an incident and later determine the scope was smaller than initially feared, we will tell you that as well.

Subprocessors

Customer data is stored in the United States. Our subprocessors:

  • Supabase: PostgreSQL database hosted on AWS. Stores user accounts, workspace configuration, extracted commitments, and audit artifacts. SOC 2 Type II certified.
  • Railway: PostgreSQL database and application compute. Stores ingested events and processed commitment data.
  • Vercel: Web application hosting. SOC 2 Type II certified.
  • Anthropic: LLM processing via the Anthropic API. Processes your email and transcript content to extract commitments. Data sent to the Anthropic API is not used to train Anthropic's models per their standard API data policy. Anthropic's retention period for API data is described in their API data policy. Catch does not operate proprietary AI models and therefore does not train any models on customer data.
  • Google Cloud: Handles the OAuth authentication flow when you connect Gmail. Catch-generated data (commitments, audits, extracted content) is stored in Catch systems, not in Google.

The current list is maintained on this page. Material changes are published in our changelog.

What we’re actively building

Security at Catch is a continuing discipline, not a compliance checkbox. Active work:

  • Application-layer encryption for raw email bodies and transcripts: bringing raw content under the same application-layer encryption we already use for OAuth tokens, so that database-level access alone does not yield readable customer content
  • Comprehensive administrative access logging: every internal read of customer data logged with a timestamp, actor, and justification, retained in an append-only audit store
  • Real-time anomaly alerting on privileged access patterns and unusual decrypt volume
  • Customer-facing data access reports: allowing customers to see, within their workspace, a log of when and why Catch administrators accessed their data
  • Self-service data export and workspace deletion from workspace settings
  • Deletion verification certificates: formal confirmation delivered to the customer after workspace deletion, specifying which systems were affected
  • SOC 2 Type II certification preparation

We do not commit to dates on this page because we would rather ship the work than commit to dates we might miss. If you have a specific need, email security@usecatch.io and we will share our current timeline privately.

Contact and responsible disclosure

General security questions: security@usecatch.io. This goes directly to the founder.

General support (fallback if security inbox is unreachable): support@usecatch.io

Responsible disclosure of vulnerabilities: security@usecatch.io with a subject line starting with “VULN:”. We commit to:

  • Responding within 2 business days
  • Investigating reports in good faith
  • Not pursuing legal action against researchers who follow responsible disclosure practices
  • Crediting researchers (if they wish to be credited) in our security changelog once a fix is deployed

Changelog

Material changes to our security posture are published at usecatch.io/security/changelog.

This page describes Catch’s current security posture and may be referenced in customer security reviews. For the most current version, always visit usecatch.io/security directly.