Enterprise sales teams share sensitive information when they practice — product positioning, competitive intelligence, pricing strategy. FirstPass is built so that data is encrypted, scoped, auditable, and never used to train models.
Data protection isn't 1 layer — it's 3. Every piece of data that moves through FirstPass is encrypted in transit over TLS. Everything stored is encrypted at rest. And sensitive fields are individually encrypted with AES-256-GCM before they reach the database.
FirstPass does not use your practice sessions, transcripts, or call data to train AI models. The AI customer simulator is prompt-engineered with your product and persona context — not fine-tuned on your team's conversations. Your data is used to serve you, and only you.
FirstPass supports Google OAuth for quick setup and SAML SSO for enterprise identity management. When SSO is configured, new users are auto-provisioned into the correct organization with the role your admin specified — no manual account creation needed.
SAML metadata is stored encrypted using the same AES-256-GCM field-level encryption described above. Connection configuration supports key rotation via the SAML controller.
Every API request is authenticated, scoped to an organization, and checked against the user's role before any data is returned. Non-superuser roles see only their own organization's data — there is no way to query across org boundaries.
Every database query is filtered by organization. A user in Organization A cannot access calls, sessions, configurations, or dashboards belonging to Organization B — not through the UI, not through the API. Isolation is enforced at the query layer, not just the UI layer.
Permission checks span 8 categories: settings, user management, integrations, audit, products, calls, annotation, dashboard, coaching, sessions, and micro-learnings. Each category has granular read/write/delete permissions assigned by role.
FirstPass logs every meaningful platform action — who did what, when, from where. Audit logs are searchable by user, event type, and date range. They're exportable as CSV for compliance review or integration with your SIEM.
| Field | What it captures |
|---|---|
| Event | Action type — login, user created, call deleted, settings updated, SAML connection configured, etc. |
| Actor | User ID and email of the person who performed the action |
| Target | Entity type and ID being acted upon (call, user, setting, etc.) |
| Organization | Which org the action occurred in |
| IP address | Originating IP, captured from request headers |
| User agent | Browser and device information |
| Metadata | Structured JSON with event-specific context (e.g., which fields changed, token costs for AI operations) |
FirstPass runs on AWS infrastructure with network isolation, web application firewall protection, and automated threat detection. The database is never exposed to the public internet.
Practice transcripts, scores, configurations, and coaching data belong to your organization. You can export them at any point — during the engagement and at termination. We don't hold data hostage, and we don't use it for anything beyond serving you.
FirstPass integrates with your existing learning infrastructure via LTI 1.3 (launch from your LMS with grade passback), SCORM 1.2 (package practice sessions for SCORM-compatible platforms), and xAPI (forward activity statements to your Learning Record Store). Enterprise tier includes all three.
Book a call. We'll walk through your security questionnaire, discuss your specific compliance requirements, and answer whatever procurement needs answered.
Talk to us →