Report a vulnerability
info@growthkitai.comsubject: Security — GrowthKit AI
/Security
Security by subtraction.
Founders hand us strategy-sensitive context — what you're building, where you're weak, which market you're about to attack. The fastest way to protect data is to hold less of it, on fewer systems, with fewer hands. That's the whole architecture. Here's how it works in practice.
01The posture
Four rules we don't bend.
No security page survives contact with a clever attacker — posture does. These four rules decide every infrastructure choice we make, including the boring ones.
01 — Minimal collection
We collect the minimum.
The waitlist asks for a name, a work email, and whether you want updates. That's it — no phone numbers, no company dossiers, no "tell us your budget." Pilot briefs contain exactly what you choose to share, and nothing is collected silently.
02 — Encryption in transit
Everything travels encrypted.
The site is HTTPS-only with HSTS preload — browsers refuse to ever load it insecurely. Form submissions travel over TLS end to end. There is no HTTP fallback, no mixed content, no exceptions.
03 — Small vendor surface
Few vendors, named ones.
Vercel hosts the site. Google Workspace holds mail and waitlist data. Fonts and scripts load from Google Fonts and jsDelivr. That is the entire third-party surface — every vendor we use is on this page, not buried in a subprocessor PDF.
04 — Founder-only access
Access stops at the founding team.
Customer data is accessible to the founding team only, behind multi-factor authentication. No contractors with standing access, no shared logins, no analytics vendor with a copy of your brief.
02The architecture
The attack surface is the security model.
growthkitai.com is a static site, on purpose. What doesn't exist can't be breached — and you can verify every claim below from your own terminal.
No database. The site has no backend of its own — no SQL to inject, no admin panel to brute-force, no sessions to hijack.
No accounts, no passwords. Nothing on this site asks you to log in, so there are no credentials of yours for us to lose.
No payment data. We never see or store card numbers. When paid plans go live, payment goes through a PCI-DSS-compliant processor — card details will go to them, never to us.
One stored preference. The only thing the site keeps on your machine is your light/dark theme choice, in your browser's localStorage. It never leaves your device.
Check our homework: run curl -I https://growthkitai.com and compare against the readout.
/response headers — live config
vercel edge
curl -I https://growthkitai.com
HTTP/2 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: geolocation=(), microphone=(), camera=()
# no set-cookie. nothing to set.
03The inventory
Every byte we hold, itemised.
This is the complete list. If a category isn't here, we don't have it. Deletion is one email away — see our privacy policy for the formal version.
Waitlist signupsname · work email · updates pref
Where it livesAn access-controlled Google Workspace spreadsheet — the single system of record. No copies on the web host, in the codebase, or anywhere else.
How longUntil launch communications wrap up, or until you ask us to remove you — whichever comes first.
Email correspondencewhatever you choose to send
Where it livesGoogle Workspace mail, founder mailboxes only. Forwarded to no one.
How longRetained per the privacy policy; deleted on request.
Pilot briefsprivate beta participants
Where it livesAccess-controlled workspace, used exclusively to produce your deliverables. Never used to train third-party models without your consent.
How longFor the duration of your pilot, plus the time needed to support it. Deleted on request when you leave.
Site analyticsaggregate only
Where it livesVercel Web Analytics — aggregate page views and referrers. No ad pixels, no fingerprinting, no cross-site tracking cookies.
How longPer Vercel's retention. It contains nothing that identifies you personally.
04Found something?
Tell us. We'll act like it matters — because it does.
Good-faith security research is welcome. Don't access data that isn't yours, don't degrade the service for others, and give us reasonable time to fix what you find before going public. Do that, and we'll work with you, not against you.
01 — Report
Email the founders directly.
info@growthkitai.com · subject: "Security — GrowthKit AI"
Include what you found, where, and how to reproduce it. Screenshots and request traces help. The report goes straight to the people who can fix it — there is no triage queue.
02 — Acknowledgement
A reply within two business days.
You'll hear back from a founder — not an autoresponder — with our read on severity and what happens next. We'll keep you posted through the fix.
03 — Credit
No bounty yet. Credit, always.
We're a private beta and don't run a paid bounty program yet. Valid reports get a named thank-you here on this page (if you want one) and our genuine gratitude — which, at this stage, includes the founders owing you a drink.
05The fine print, in plain sight
What we don't claim.
We are not SOC 2 or ISO 27001 certified. Certifications audit organisations at a scale we haven't reached — they're on the roadmap as the product matures, and we'd rather tell you that here than imply otherwise with a wall of badge icons.
We're also in private beta, which means the engine's infrastructure is still evolving. The commitments on this page are the constants. If your security questionnaire needs more than what's written here, email us — a founder will answer it honestly, including the parts where the honest answer is "not yet."