Effective: May 10, 2026

---

Summary

Accountmade processes prompts, source documents, brand assets, CRM fields, generated decks, shared-deck content, and viewer telemetry. Security depends on Accountmade safeguards and customer-side configuration. Do not put secrets, credentials, payment card data, health data, or other prohibited sensitive data into Accountmade unless a separate written agreement expressly permits it.

This page is an operational security overview, not a warranty or standalone SLA.

1. Product security boundary

Accountmade is an AI-assisted deck-generation and sharing service. The main security boundaries are:

• account and workspace access;
• source documents and prompts submitted for deck generation;
• brand kits, personas, and deck libraries;
• CRM integration scopes and mapped fields;
• generated decks and exports;
• shared links, passwords, custom domains, and duplication settings;
• shared-deck viewer analytics; and
• support interactions and diagnostic logs.

Customers control what data is submitted, which integrations are connected, who is invited to a workspace, and which decks are shared.

2. Access control

Accountmade uses account authentication, workspace membership, role-based permissions, and administrative controls designed to limit access to workspace data.

Customers should:

• invite only authorized users;
• remove users promptly when access is no longer needed;
• use strong authentication through supported login methods;
• protect API keys, integration tokens, and credentials;
• limit CRM OAuth scopes to what is needed;
• review shared-link settings before sending decks; and
• avoid sharing a single seat across multiple active users.

3. Data protection

Accountmade uses encryption in transit and provider-supported encryption at rest. We maintain access controls, logging, monitoring, backup procedures, and incident response processes designed to protect Customer Content and Customer Personal Data.

Customer Content may be processed by subprocessors listed at accountmade.com/legal/subprocessors, including hosting, database, storage, AI, email, analytics, error-monitoring, support, and security providers.

4. AI processing safeguards

AI features process prompts, source documents, brand context, personas, selected CRM fields, and deck context. Accountmade does not use Customer Content or Customer Personal Data to train AI models.

Customers should not submit:

• passwords, API keys, tokens, or secrets;
• payment card numbers or bank account numbers;
• government identifiers;
• protected health information;
• special-category personal data;
• confidential information that should not be processed by AI providers; or
• source documents they do not have rights to use.

5. Shared-deck security

Decks shared through accountmade.com, custom domains, or exports can expose content to recipients and viewers. A link may be accessible to anyone with the link unless additional restrictions are enabled.

Customers should:

• use password protection or access restrictions where appropriate;
• disable duplication where not intended;
• avoid including confidential or regulated data in shared decks;
• confirm custom-domain ownership and DNS configuration;
• rotate or disable links that are no longer needed;
• review viewer analytics implications; and
• provide required privacy notices to recipients.

6. CRM integration security

CRM integrations can expose prospect, customer, deal, or account data. Customers should:

• map only fields needed for deck generation;
• avoid special-category or sensitive data;
• respect marketing opt-outs and suppression lists;
• revoke integration access when no longer needed;
• periodically review connected accounts and scopes; and
• ensure the CRM provider's own settings and terms are followed.

7. Operational safeguards

Accountmade maintains operational safeguards designed to support security, including:

• access control and least-privilege practices;
• infrastructure-provider security controls;
• error monitoring and abuse detection;
• rate limiting and bot protection;
• vulnerability and dependency review;
• backup and recovery processes;
• subprocessor review; and
• incident response procedures.

Security measures may change as the Service evolves, provided the overall protection for Customer Personal Data is not materially reduced.

8. Incident response

If we become aware of a security incident affecting Customer Personal Data, we will notify affected customers as required by the DPA and applicable law. Notices will include information reasonably available at the time and will be supplemented as the investigation develops.

Customers should notify Accountmade immediately if they suspect unauthorized workspace access, exposed credentials, compromised CRM tokens, or leaked shared links.

9. Vulnerability reporting

Good-faith security reports may be sent to hello@accountmade.com. Please include:

• affected domain, endpoint, or feature;
• steps to reproduce;
• potential impact;
• screenshots or proof-of-concept details where safe;
• your contact information; and
• whether any data was accessed.

Do not access, modify, delete, exfiltrate, or disrupt data that does not belong to you. Do not perform denial-of-service testing, social engineering, spam, malware testing, or physical attacks.

We will not pursue legal action for good-faith security research that avoids harm, respects privacy, and is promptly reported.

10. Enterprise security requests

Security questionnaires, DPA requests, subprocessor questions, and enterprise review requests may be sent to hello@accountmade.com or legal@accountmade.com.

11. Related documents

• Terms of Service
• Privacy Policy
• Data Processing Agreement
• Subprocessors
• Acceptable Use Policy

12. Contact

Legal: legal@accountmade.com Support: hello@accountmade.com

accountmade.com