Security and Data

Honest Security

Security pages on SaaS websites tend to oversell. Pilot is a startup in beta. This page describes what's true today, what's planned, and where the gaps are. If your organization has specific security requirements, contact us and we'll give you a straight answer.

Tenant Isolation

Every Pilot tenant is a separate workspace. Your documents, knowledge base, voice settings, generated content, and usage data are isolated from every other tenant.

This isolation is structural, not just logical:

• Knowledge base isolation. Your document embeddings exist in a separate namespace. Another tenant's queries never touch your knowledge base, and your queries never touch theirs.
• Document storage isolation. Your uploaded source documents are stored with tenant-scoped access controls. Documents are content-addressed by hash — if the same file exists in two tenants, they're stored as separate objects with separate access paths.
• Generated content isolation. Articles, drafts, and channel outputs belong to your tenant. They're not accessible to other tenants, and they don't appear in other tenants' results.

Encryption

In transit: All data between your browser and Pilot's servers travels over TLS. API calls from Pilot to your LLM provider are also encrypted in transit.

At rest: Documents stored in object storage are encrypted at rest using AES-256 (S3 server-side encryption). Database records are encrypted at rest using the managed database provider's encryption.

No Training on Your Data

Your documents are never used to train language models. Not by Pilot, and not by your LLM provider (assuming you use the provider's standard API terms, which exclude training on API inputs — check your specific provider's terms).

Your documents exist in Pilot's storage for one purpose: to serve as source material for your knowledge base and content generation. When you delete a document, it's removed from the knowledge base and from storage.

BYOK and Key Handling

Pilot's bring-your-own-key model means your LLM provider relationship is direct. You create an account with Anthropic or OpenAI, generate an API key, and enter it in Pilot's console.

How Pilot handles your key:

• Stored encrypted. Your API key is encrypted at rest in Pilot's database using AES-256.
• Decrypted only during use. The key is decrypted and held in memory only for the duration of an API call to your LLM provider. It's not cached in plaintext.
• Never logged. Your key never appears in log files, error messages, or debugging output.
• Never shared. Pilot's team cannot see your key. It's not accessible through any admin interface.

Your LLM provider sees API calls from Pilot's infrastructure using your key. The provider's standard terms apply to those calls. Pilot doesn't proxy, intercept, or modify the provider's responses beyond what's needed to produce your content.

Data Residency

Pilot's infrastructure currently runs in AWS US-East-1 (Northern Virginia). This means:

• Your documents are stored on S3 in US-East-1
• Your database records (tenant config, user accounts, content metadata) are in RDS in US-East-1
• Your knowledge base embeddings are in a vector database in US-East-1

If your organization has data residency requirements that conflict with US-East-1 hosting, contact us to discuss options. Multi-region support is on the roadmap but not available today.

What Happens When You Delete

Deleting a document: The document is removed from your knowledge base (embeddings deleted, topic connections removed) and from object storage. This is a permanent deletion, not a soft delete.

Deleting your account: All data associated with your tenant — documents, knowledge base, voice settings, generated content, user records — is permanently deleted. No retained copies, no backup holds beyond the standard backup retention window (currently 30 days, after which backups are rotated out).

Access Control

Pilot uses role-based access control within each tenant:

• Admin: Full access to all tenant settings, documents, channels, and content. Can manage users and API keys.
• Editor: Can upload documents, generate content, review and publish articles, configure voice settings. Cannot manage users or API keys.
• Viewer: Read-only access to generated content and analytics. Cannot upload, generate, or publish.

Authentication is handled via JWT tokens. Sessions expire after inactivity. Pilot supports email/password authentication. SSO (SAML, OIDC) is planned for a future release but not available today.

What's Not Yet in Place

Transparency matters more than aspirational claims. Here's what Pilot doesn't have yet:

SOC 2 certification. Not yet started. Planned for after the beta period as the customer base and infrastructure stabilize.

Penetration testing. No third-party penetration test has been conducted. Internal security review is ongoing.

Bug bounty program. Not in place. If you discover a security issue, contact us directly.

SSO / SAML. Not available yet. Enterprise authentication is planned for a future phase.

Audit logging. Basic activity logging exists. Comprehensive audit trails suitable for compliance review are in development.

These are real gaps. They're being addressed in priority order as Pilot moves from beta to general availability. If any of these are requirements for your organization, we'll tell you where we are and when we expect to close the gap — not hand-wave about "enterprise-grade security."

The Security Posture

Pilot takes reasonable precautions with your data: encryption, isolation, access control, secure key handling. It's a young product with an honest assessment of where it stands. The fundamentals — tenant isolation, encrypted storage, no training on your data, BYOK key handling — are in place and designed correctly. The enterprise compliance apparatus is still being built.

For how BYOK works and what it means for cost visibility, see Pricing and BYOK. For questions about security that this page doesn't answer, contact us directly.