Growth Method's Security Details

Growth Method connects AI agents to the systems where marketing teams already work: CRMs, email tools, customer data warehouses, and collaboration tools. We recognise that running agents against systems holding sensitive customer data raises the bar on security. While we are a small team, we work hard to punch above our weight on security.

This document covers our security practices and policies.

General practices

• Access to servers, source code, and third-party tools is secured with two-factor authentication.
• We use strong, randomly generated passwords that are never re-used.
• Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or customer data.
• We use automated security vulnerability detection tools to alert us when our dependencies have known security issues, and apply patches aggressively.
• We don’t copy production data to external devices (like personal laptops).

Access control and organisational security

Personnel

Our employees and contractors sign an NDA before gaining access to sensitive information.

Agent security

The bulk of Growth Method’s security work concerns how agents interact with connected systems on behalf of customers.

Tool controls

Every agent runs with the minimum tool access it needs for the job. Destructive actions (sending email at scale, deleting records, modifying campaigns) require explicit human approval.

Remote MCP servers only

We never run MCP servers on user machines. All MCP servers run in our managed environment, behind authentication and access controls.

First-party MCP servers preferred

Where a vendor (Slack, HubSpot, Notion, Salesforce, and others) operates an official first-party remote MCP server, we use it. Where a first-party server doesn’t yet exist, we run a sandboxed instance of an open-source server in our managed environment, never on a user’s machine.

Credential handling

API keys and OAuth tokens for connected systems are never distributed to end users and never stored in plaintext. Credentials are managed centrally, encrypted at rest, scoped per integration, and rotated. When a user is removed, access to connected systems is revoked at the source.

Integration records

An integration record is locked the moment it is created. Credentials cannot be read back, modified, or exported through the application. To rotate or revoke an integration, the record is deleted and replaced.

Tool call logging

Every tool call an agent makes is logged: what was requested, what was returned, when, which agent made it, and on whose behalf. Logs are available for audit.

Supply chain protection

The packages we depend on, and the open-source MCP servers we run, can themselves become attack vectors. Recent compromises in nx, litellm, axios, and bitwarden each gave attackers a path to code execution on every machine that pulled in the malicious update. In each case the compromise was detected within hours or days of publication.

When updating dependencies, we skip any npm package published in the last 7 days. We also scan all dependencies for known vulnerabilities on every build, and run MCP servers in sandboxed environments isolated from customer data.

Encryption

All communication between Growth Method clients and our backend is encrypted in transit using TLS 1.2 or higher. Customer data and connected-system credentials are stored at rest with AES-256 encryption.

Data retention and logging

Application and audit logs are retained in hot storage for 30 days, then archived to cold storage for 12 months before permanent deletion. Customer data is retained for the duration of your subscription and deleted within 30 days of cancellation, or sooner on request.

Software development practices

• Code is tested in a staging environment before deployment to production.
• All deployments are tracked and auditable.

Vulnerability detection

Our codebase, infrastructure, and dependencies are continuously scanned for known security vulnerabilities. Vulnerable dependencies are patched and redeployed rapidly.

Hosting

Our backend infrastructure runs on DigitalOcean, provisioned and managed through Laravel Forge. DigitalOcean’s data center operations have been accredited under:

• ISO 27001
• SOC 1 Type II and SOC 2 Type II
• PCI DSS
• CSA STAR Level 1

FAQs

Is my customer data used to train AI models?

No. Data passing through Growth Method is not used to train any model, by us or by any model provider we route to.

Are you SOC 2 or ISO 27001 certified?

While we’d eventually love to achieve these certifications, we don’t hold them at this time.

Can an agent take a destructive action without my knowledge?

No. Destructive actions (sending email at scale, deleting records, modifying campaigns, posting to public channels) are gated behind explicit human approval.

What happens to my connected-system credentials when I cancel?

Credentials are revoked at the source and removed from our system.

Do you run MCP servers on my team’s laptops?

No. All MCP servers run in our managed environment. Nothing is installed on your team’s machines.

How do I report a potential vulnerability or security concern?

Please email us at security@growthmethod.com and we’ll get back to you as soon as possible.

Any further questions?

Email us and we’ll happily update this document.