Stitch
Log in Schedule a demo

SECURITY AT STITCH

Protecting the GTM data your team depends on

Stitch connects to systems that hold sensitive customer and revenue context. Security is built into how the product handles connections, organization boundaries, roles, agent actions, and the records behind every workflow run.

Schedule a security review Read privacy policy

DATA PROTECTION

Protection starts with the data paths Stitch handles

Stitch operates across CRM, email, calendar, docs, and collaboration systems. The product is designed so customer data, integration credentials, and operational logs are handled through separate, controlled paths.

Encryption by default

Data is encrypted in transit with TLS and encrypted at rest using AES-256-GCM.

Connection credential security

OAuth tokens and API keys are encrypted before storage, managed separately from application data, and decrypted only when needed.

Organization isolation

Customer data is logically isolated at every layer. API requests are scoped to the requesting organization.

Redacted operational logging

Sensitive fields such as tokens, credentials, and passwords are redacted from internal logs. Customer business data does not belong in operational logging.

ACCESS CONTROL

Access is explicit, scoped, and enforced before work happens

Stitch is built for organizations where admins need to control who can access customer context, run workflows, approve sensitive changes, and connect external systems.

01

AUTHENTICATION

Provisioned access only

Stitch supports email/password and Google OAuth. Self-registration is disabled, so organization administrators control which users are provisioned.

  • Google OAuth support
  • Admin-provisioned users
02

AUTHORIZATION

Roles enforced on the server

Administrators assign roles that determine what each user can see and do. Permissions are enforced server-side on every request.

  • Role-based access control
  • Team scoping
  • Per-resource sharing rules
03

SESSIONS

Sessions expire and invalidate cleanly

Sessions expire automatically, are invalidated server-side on logout, and include protections against common web attacks.

  • Server-side logout invalidation
  • CSRF protections
  • Session hijacking protections

AI GOVERNANCE

AI-assisted work stays inside controlled workflow boundaries

Stitch does not ask teams to trust opaque AI changes. Agents can be constrained by tool access, routed through approval, and reviewed through the same audit trail as the rest of the workflow run.

Bounded agent tools

Agents operate with explicit instructions, allowed tools, and limits tied to the workflow they are running.

Approval before sensitive action

Sensitive agent tool calls can pause for human review before changes are applied to CRM or another connected system.

Justifications attached

Agent proposals include the reasoning and context a reviewer needs to approve, reject, or request changes.

Audit trails preserved

Workflow runs preserve the trigger, steps, agent activity, approvals, and downstream updates for review.

OPERATIONS

Built to stay available and recover cleanly

The operational details that matter most are straightforward: keep the service available, preserve customer data, check for access regressions, and respond when something needs attention.

Redundant infrastructure

Stitch is designed so a single server issue won't take the service down or put customer data at risk.

Regular backups

Application data is backed up regularly and stored separately from the primary application environment.

Automated security checks

Automated checks help catch vulnerable packages, unsafe code patterns, exposed secrets, and regressions in important access boundaries.

Monitoring and response

Application health is monitored with alerting, and changes are tracked so issues can be investigated quickly.

Security FAQ

How are integration credentials protected?

Stitch uses OAuth wherever possible so it does not see passwords for connected services. OAuth tokens and API keys are encrypted before storage and only decrypted at the moment a workflow needs to use them.

How do you prevent one organization from accessing another organization's data?

Requests are scoped to the requesting organization, and customer data is logically isolated at every layer. Automated tests specifically verify cross-organization isolation boundaries.

Can AI apply changes without review?

Sensitive agent tool calls can require approval before changes are applied. Reviewers can approve, reject, or request changes, and agent justifications are attached for context.

Do AI providers train on customer data?

No. Stitch does not use customer data to train models, and its AI providers operate under zero-data retention agreements for workflow processing.

How does Stitch catch security issues?

Automated checks cover application code, third-party packages, exposed secrets, and important access boundaries between organizations.

SECURITY REVIEW

Bring us the workflow and the security questions around it

We can walk through how Stitch would handle your CRM data, connected system credentials, approval gates, workflow run history, and the boundaries around AI-assisted actions.

Schedule a security review