pith
Sign inStart free

Security

Your knowledge stays in Europe — and stays yours.

Pith is built for consulting work, which means client confidentiality is the default, not an upgrade. Here's how we handle data, in plain terms.

Data residency

Frankfurt, Germany

All data — application database, blog media, generated audio briefings — stored exclusively in EU-based Hetzner data centres.

Isolation

Per-workspace database

Each workspace has its own logical database. Cross-workspace reads are impossible at the SQL layer — not just access-controlled.

Encryption

TLS 1.3 + at-rest AES-256

All traffic over HTTPS. Disk-level AES-256 encryption on the database volume.

Auth

Email + password · API tokens

bcrypt-hashed passwords. Long-lived bearer tokens (tfk_…) for the browser extension and automation, scoped per workspace, revocable from settings.

Backups

Daily, retained 30 days

Automated daily snapshots, encrypted at rest, retained for 30 days. Point-in-time recovery available on the Firm plan.

Export

Anytime, full SQL + markdown

Your data is yours. One-click export of bookmarks, highlights, wiki, and AI artefacts as SQL dump or markdown bundle.

What we don't do

  • · We don't train models on your content.
  • · We don't share data with third parties beyond infrastructure providers (Hetzner, OpenAI for inference only — no retention).
  • · We don't have a 'marketing email' toggle on by default. We don't email you unless you ask us to.
  • · We don't do behavioural tracking. Page-view analytics is server-side counts only — no third-party cookies, no fingerprinting.

GDPR + AI Act

Pith is GDPR-compliant by construction (EU-only storage, per-workspace isolation, full export + deletion). For the EU AI Act: Pith uses LLMs as a tool, not as a service to end-users — we don't fall under the high-risk classification. We disclose model providers in the privacy notice and document AI usage in the application's own audit log (Firm plan).

Questions?

Email security@pithlab.app. We respond within one business day.