PitchPad NLT Labs NLT Labs GTM Execution →

For Investors

Engineering

Five sub-blocks describe how PitchPad is built: the architecture, the integrations it depends on, the data model that flows through it, the security posture, and the scalability notes. Below them sits the tech-risk table — the five engineering risks that move the year-one plan most.

Architecture summary

Astro static front-end for the marketing surface plus a React island for the PWA shell. Node + Fastify API on Render with a managed Postgres instance. Cloudflare in front for asset delivery and DDoS. On-device voice inference through WebGPU (Llama 3.2 1B quantized) with a Whisper-server fallback for low-confidence utterances. Stripe Checkout for deposits; QuickBooks Online for the system-of-record invoice. The PWA is offline-tolerant: a walk-through, a price, and a signature can be captured without connectivity and synced when the truck reaches cellular. The whole production deployment is two services on Render plus one Postgres instance — deliberately small so a founding engineer can hold the system in one head.

Integrations

Data model

Five canonical entities: Operator (account, billing, integration credentials), RateCard (versioned JSON document — categories, line-item templates, modifiers, regional adjustments), WalkThrough (voice + photo + structured-scope record with on-device confidence scores), Proposal (priced output — line items, totals, deposit, signature block, calendar hold), and Homeowner (customer record with address, contact, proposal history, deposit history). Each WalkThrough → Proposal transition is an append-only event so the category-specific voice-to-line-item model corpus can be reconstructed from the log. Operator-to-operator data isolation by default; cross-operator referral graph is opt-in.

Security posture

No card data ever touches PitchPad — Stripe handles the PAN. QuickBooks OAuth tokens are envelope-encrypted at rest on the Render-managed Postgres instance with the data-encryption key held in Render's secret store. Voice recordings encrypted in transit (TLS 1.3) and at rest (AES-256). The on-device LLM runs inside the browser's WebGPU sandbox; no inference data leaves the device unless the operator opts in to the server-fallback path per utterance. We treat the operator as data controller and the homeowner as data subject under the standard service-provider model — homeowner deletion requests cascade to all PitchPad-held records within 30 days. Annual third-party penetration test is in the year-two budget; year-one we run quarterly self-audits against the OWASP ASVS Level 1 checklist.

Scalability notes

The current single-instance architecture comfortably holds 5,000 paying operators before we shard Postgres or move voice fallback to a managed inference platform. The principal scaling risk is not request rate (per-operator API call volume is low — a walk-through is a handful of requests) but cold-start latency on the rate-card engine when an operator opens the PWA after a quiet day. A 12-hour pre-warm strategy is in the queue. Trade-pub channel partnerships can spike sign-ups during a promotional window; the concierge onboarding pace (roughly one operator per engineer-week) is the real throttle, and the model assumes a second engineer at the 50-operator mark.

Tech-risk register

#RiskSeverityLikelihoodMitigationConfidence
T1On-device LLM accuracy under windy or low-quality audio conditionsHighMediumWhisper-server fallback path with operator-visible confidence indicator; per-category prompt tuning during concierge onboarding Modeled
T2QuickBooks Online OAuth token expiry breaks reconciliation at scaleMediumLowUse Intuit-recommended refresh cadence; operator alert on expiry; manual CSV export documented as fallback Sourced
T3Stripe Checkout deposit chargebacks in home-services categoryMediumLowPre-flight Stripe underwriting carve-out before founding cohort; cap deposit percentage during validation; explicit homeowner-facing TOS Sourced
T4WebGPU availability on older iOS / Android devicesMediumMediumServer-fallback path triggers automatically on WebGPU absence; warn during concierge onboarding if operator device lacks WebGPU Modeled
T5Postgres single-instance cold-start latency on rate-card engine after idle periodLowMedium12-hour pre-warm strategy; Cloudflare edge cache for the most recent rate-card version per operator Assumption