Your data is yours. We protect it like it is.
CTD handles sensitive relationship data: your contacts, your emails, your network. We've built security into the foundation of the product, not as an afterthought.
Security at every layer
SOC 2 Type II certified
We undergo annual independent audits against the SOC 2 Type II standard, covering security, availability, and confidentiality. This means our controls aren't self-reported; they're independently verified by a third party on an ongoing basis.
Encryption everywhere
All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. This applies to everything: your contact profiles, email metadata, relationship scores, and any data synced from your integrations.
OAuth: no passwords stored
We connect to Gmail, Outlook, and LinkedIn exclusively via OAuth. We never see or store your passwords. You can revoke CTD's access at any time directly from your Google, Microsoft, or LinkedIn account settings.
You own your data
Your contacts and relationship data belong to you. You can export everything at any time in a portable format, and you can permanently delete your account and all associated data with a single request. No lock-in, no retention games..
Built-in from day one
Minimal data access
We request only the permissions we actually need. For email integrations, we read metadata and contact signals; we don't read the body of your emails.
Role-based access controls
For team and business plans, administrators control who can see what. Network data is only shared with teammates you explicitly invite and approve.
Never sold or shared
We do not sell, rent, or share your personal data or relationship graph with any third party, ever. Your network is not our product.
Security monitoring
Our infrastructure is continuously monitored for anomalous activity. We maintain an incident response plan and notify affected users promptly in the event of any security incident.
GDPR & CCPA compliance
We comply with GDPR for users in the EU and CCPA for California residents, including rights to access, correction, deletion, and data portability.
Secure infrastructure
CTD runs on enterprise-grade cloud infrastructure with network segmentation, access logging, and regular vulnerability assessments and penetration testing.
Security FAQ
Does CTD read my emails?
By default, no. CTD only needs email metadata (sender, recipient, timestamp, and subject) to build your contact profiles and score your relationships. We do not read or store email bodies.
You do have the option to grant CTD read access to your emails. If you do, you can read your own emails directly within CTD. We never store email bodies, and we never retrieve them without a specific action on your part. Read access is used solely to surface emails on demand for a better experience, nothing else.
Can I disconnect my accounts at any time?
Yes. You can disconnect any integration (Google, Microsoft, LinkedIn) from your CTD settings at any time. You can also revoke access directly in your Google or Microsoft account without going through CTD at all.
What happens to my data if I delete my account?
When you delete your account, we permanently delete all your personal data (contacts, relationship scores, email metadata, and any synced data) from our systems. This is irreversible and we do not retain backups of deleted accounts beyond our standard backup window.
Is my network shared with others?
Every user controls their own privacy and sharing rules. You have two starting points:
Closed network. Your contacts are visible only to you. From there, you can whitelist specific people or entire company domains you want to share with, for example, open your network to your own company's domain while keeping it hidden from everyone else.
Open network. Your contacts are visible to other CTD users you know. From there, you can block specific people or entire companies, for example, block everyone at a competitor so no one from that company can see your network.
Regardless of your network setting, you can also mark individual contacts as private. A private contact is visible only to you and no one else will know you have a relationship with that person.
How does CTD access company email on Business plans?
For Business Edition, CTD uses domain-wide delegation, a standard mechanism supported by Google Workspace and Microsoft 365 that lets your IT admin grant CTD access to company email at the domain level. The admin defines exactly what CTD can access: for example, if they configure metadata-only access, that is the only thing CTD will ever see, no email bodies, no attachments, nothing beyond what was explicitly granted. Access can be revoked by the admin at any time through the same admin console, with no action needed from individual users.
Once delegation is in place, CTD does not automatically create accounts for everyone at the company. Admins use a user management page to decide exactly which employees should have CTD accounts. From there, admins can provision those accounts directly, including setting the data scopes for each user, so end users have zero setup effort on their end. This is how automated provisioning works on Business plans: the admin is in full control at every step.
Is CTD a multi-tenant environment? How is customer data separated?
CTD is not a traditional multi-tenant application where each customer gets a physically isolated database or environment. By design, CTD is one unified relationship graph: its value comes from understanding how people and companies are connected across the entire network. Physical tenant separation would make that impossible.
What we have instead is logical separation enforced through privacy and sharing controls. Every user and organization controls exactly what is visible to whom, and those rules are enforced at the data layer on every query. Your contacts, relationship scores, and network data are never exposed to other users or companies beyond what you have explicitly shared. So while the underlying graph is unified, access to any given piece of data is tightly scoped by the permissions the owner has set.
For enterprises with stricter isolation requirements, our team is happy to walk through the architecture in detail and answer any specific compliance or security questionnaire items.
How do I report a security vulnerability?
If you believe you've found a security vulnerability in CTD, please contact us at security@ctd.ai. We take all reports seriously and will respond within 48 hours.
Questions about security or compliance?
Talk to our team: we're happy to share our SOC 2 report, answer compliance questionnaires, or walk through our controls.