Security
Effective March 29, 2026
This page describes the security controls StrikePoint uses today. It is written to be specific, current, and client-facing rather than inflated. If you need a current answer about a specific control or vendor, contact support@usestrikepoint.com.
Protected workspaces
StrikePoint uses Clerk for sign-in, session management, and authenticated workspace access. Protected app routes verify the signed-in user before reading or mutating account data.
Encrypted connections and credentials
Traffic to StrikePoint is sent over TLS. Stored Google and Microsoft provider credentials, along with any enabled inbox-connection credentials, are encrypted before StrikePoint writes them to the database.
Account boundaries
StrikePoint stores account data in per-user records and shared-link access is limited to the specific proposal or invoice token that was created for that client workflow.
Client link protection
Public proposal and invoice links expire after 30 days, can be revoked by the sender, and can optionally require a verification PIN before viewing. When a sender generates a fresh link, the previous inactive link no longer works for viewing or action submission.
Activity review without raw visitor IP storage
StrikePoint records shared-link events such as views, verification attempts, acceptance, checkout starts, regeneration, and revocation so your team can review client activity. Raw visitor IP addresses are not retained in that activity log; hashed visitor identifiers are used instead.
Customer-owned artifacts
Google Drive folders and Sheets created through StrikePoint remain in the customer’s own Google account. StrikePoint uses limited Google scopes intended for the files it creates on the customer’s behalf.
AI workflows with human review
StrikePoint sends documents to API-based AI services for processing workflows. We do not use customer documents, pricing, or plan sets to train StrikePoint models, and AI-generated results are presented for human review before customers rely on them.
What this page does not claim
StrikePoint does not claim SOC 2, ISO 27001, HIPAA, end-to-end encryption, or any other certification or security model on this page unless it has been formally completed and published. This page is limited to the controls implemented in the app and the current operating model.
Security Contact
For security questions, customer reviews, or responsible disclosure, email security@usestrikepoint.com. Include the affected route, the time observed, and any reproduction details you can share safely.
Please do not send destructive payloads, denial-of-service traffic, or attempts to access other customers' data. Good-faith reports are reviewed and routed directly to engineering.