Security & Data

How Pipelit handles your data

Everything your InfoSec team, DPO, or procurement lead needs to approve Pipelit. Read-only access. No customer data stored. GDPR compliant.

What Pipelit accesses

Free scanner

Public website only

The scanner visits your URL exactly like any other visitor. It sees your public HTML, cookies set on page load, and network requests. Nothing more than a browser sees.

Scanner Pro — GTM integration

Read-only GTM access

OAuth 2.0 with scope tagmanager.readonly. We can see tag names, trigger configurations, and consent settings. We cannot modify, add, or delete anything.

What we store

✓ Scan results — findings, scores, cookies detected, tools identified
✓ Organisation details — company name, domain, team member emails
✓ Fix tickets — violation records, status, review notes
✓ Audit log — timestamped record of all actions
✓ GTM OAuth tokens — encrypted, auto-expire, used only for read-only API calls

What we do NOT access or store

✗ No visitor or customer PII — we never see your users' personal data
✗ No analytics data — no access to Google Analytics, HubSpot CRM, or any analytics platform
✗ No conversion data — no access to form submissions, leads, or deals
✗ No raw cookies — we record cookie names and domains, not cookie values
✗ No write access — we cannot modify your GTM, CMP, or any connected system
✗ No third-party sharing — your data is never shared with anyone

Security practices

Encryption

Encrypted in transit and at rest

All data encrypted via TLS in transit. Database connections secured with SSL. No public database access.

Authentication

Secure credential handling

Passwords hashed with scrypt (64-byte key, random salt). Session tokens are cryptographically random. GTM uses OAuth 2.0 with Google.

AI processing

Revelio AI — powered by Anthropic

AI queries processed via Anthropic's Claude API. Your scan data is sent as context for each query. Anthropic does not train on API inputs.

Access control

Role-based permissions

Three roles — Admin, DPO, and Implementer — each with appropriate access levels. Full audit trail of every action.

Compliance

✓ UK GDPR compliant — Pipelit is a UK company processing minimal personal data (team member emails only)
✓ Data Processing Agreement — available at pipelit.co.uk/dpa
✓ Privacy Policy — available at pipelit.co.uk/privacy-policy
✓ No sub-processors with customer data access — Anthropic processes AI queries but receives no customer PII
✓ Data deletion — request account and data deletion at any time via email

Common InfoSec questions

Q Do you have SOC 2? — Not yet. We are pre-revenue and pursuing SOC 2 Type II as we scale. Our current security practices are documented above.
Q Where is data stored geographically? — Hosted in secure cloud infrastructure. Available to discuss EU-only hosting for enterprise customers on request.
Q Can you sign our vendor assessment form? — Yes. Email lalarukh@pipelit.co.uk with your form.
Q What happens if I disconnect GTM? — OAuth tokens are immediately revoked. No further API calls are made. Historical scan data remains unless you request deletion.
Q Is the scanner PECR compliant itself? — Yes. The Pipelit website and scanner set zero pre-consent tracking cookies. Score: 100/100 Diamond. Verify it yourself.

Need something specific?

We're happy to complete your vendor assessment form, sign a custom DPA, or schedule a call with your InfoSec team.

Email us → View DPA →