Back to home

Security

BankingPitch is designed for regulated financial environments. Security and compliance are built into the architecture, not bolted on as an afterthought.

Authentication and access control

  • Passwords hashed with bcrypt (12 salt rounds)
  • JWT session tokens with configurable expiry
  • 5-tier role-based access control (Analyst, Associate, VP, MD, Admin)
  • Route-level middleware protection on all authenticated pages

Four-eye principle

  • Deal creator cannot approve their own pitch book
  • Approval requires VP-level role or above
  • Enforced at API level — cannot be bypassed via UI
  • Both creator and approver identities logged permanently

Audit trail

  • Every action logged: creation, generation, edits, approvals, exports
  • Timestamped entries with user attribution and metadata
  • Compliance export for regulatory reporting
  • Admin-accessible system-wide audit log viewer

Data integrity

  • Figures grounded in your deal inputs, SEC EDGAR filings, or uploaded documents where available — anything else is clearly flagged as an AI estimate, never presented as verified market data
  • Original AI output preserved even after user edits
  • Edited content stored separately with 'Edited' flag
  • Source citations tracked per module (deal inputs, SEC EDGAR, uploaded documents, or AI-estimated)

User management

  • Admin-only user creation with enforced minimum password length
  • Cascading deletion: removing a user removes all their data
  • Role changes logged to audit trail
  • Self-deletion prevention (admins cannot delete their own account)

Infrastructure

  • PostgreSQL database with encrypted connections
  • Environment-based configuration — no secrets in code
  • Health check endpoint for uptime monitoring
  • Rate limiting on AI generation endpoints (5 requests/minute per user)

To report a security vulnerability, contact security@bankingpitch.com.