Security

Last updated: · Self-managed posture document · No third-party audit (yet).

This page is Gulf Shield Technologies' corporate security posture. It documents how we think about security, what subprocessors handle your data, how we respond to incidents, and what compliance programs we run (and don't run). For product-specific data flows, see the per-product security pages linked at the end.

Core principles

  • Local-first by default. Where a product can run on your machine instead of ours, it does. Canopy is the canonical example — your code never leaves your environment.
  • Minimal data collection. Products collect what they need to function and nothing more. Per-product details live on each product's privacy page.
  • Encryption in transit. All public endpoints serve over HTTPS with HSTS preload. No mixed content; no plaintext APIs.
  • Closed-source software with public posture. Source code for paid tiers is not available; this page is how we substitute for source-level transparency. Ask about anything not covered here.
  • Responsible disclosure. If you find a security issue, we want to hear about it before anyone else does (see "Reporting a vulnerability" below).

Subprocessors

The following third-party services receive limited data on our behalf to operate the products. Each is bound by its own published terms and security practices; we don't add data on top of what their stated processing requires.

Subprocessor Purpose Data scope
Cloudflare (Pages, Workers, R2, D1) Site hosting, serverless backend, license storage, binary distribution License keys, customer email, machine fingerprint hash, transient request logs
Stripe Payment processing, subscription management Customer email, billing details, subscription state
Resend Transactional email (license delivery, receipts, password reset) Customer email, message content (transactional only)
Google Fonts Web font delivery (Inter, Fraunces) No PII; visitor IP transient at edge

We will notify customers in writing at least 30 days before adding a subprocessor that materially changes the data scope above.

Data flow & retention

  • Active subscription data (license, customer email, payment state) is retained as long as your subscription is active.
  • Tax / financial records (Stripe transaction history, invoices) are retained 7 years per US federal record-keeping obligations, after which they are purged.
  • Identifiable telemetry (anonymous feature usage counts, when opted in) is purged after 90 days; aggregated form (counts only, no per-user attribution) may be retained longer for product analytics.
  • No code, file paths, or query content is ever stored. Canopy's heartbeat carries license-hash + version + platform only; see the per-product page for the full byte-by-byte schema.

Access controls

  • MFA required on all administrative accounts (Cloudflare, Stripe, Resend, GitHub).
  • Least-privilege scoping on all subprocessor API keys; production keys are not stored locally and are rotated on personnel change.
  • Deprovisioning on personnel change happens within 24 hours; this includes Cloudflare/Stripe/Resend/GitHub access removal and key rotation for any keys the departing person had.
  • No shared credentials. Every administrative login is per-person.

Incident response

If a security incident is detected (subprocessor breach notification, internal anomaly, customer report, or public disclosure):

  1. Triage within 24 hours — confirm scope, isolate impact, preserve logs.
  2. Notify affected customers within 72 hours of confirming material impact (email to the address on file).
  3. Mitigate — patch, rotate credentials, revoke compromised licenses as needed.
  4. Post-mortem — the customer notification will summarize root cause and corrective action; a public write-up may follow when it would help others avoid the same class of issue.

We have not had a customer-affecting security incident as of this writing; this is the protocol that would run if one occurs.

Backup & disaster recovery

  • License + customer state (Cloudflare D1). Daily automatic backups via Cloudflare's managed backup, retained 30 days.
  • Binary distribution (Cloudflare R2). Releases are content-addressed; we keep all prior releases indefinitely. Customers on annual licenses can re-download any version they were licensed for.
  • Configuration as code. All Workers, Pages config, and infrastructure live in Git; we can rebuild the entire backend from source within a few hours.

Compliance status (honest version)

  • SOC 2: Not pursued. We will engage if a specific enterprise customer requires it. Estimated timeline from start of engagement: 4-6 months for Type 1, 9-12 months for Type 2.
  • ISO 27001: Not pursued. Same conditions as SOC 2.
  • HIPAA / BAAs: Not currently signed. We can scope a BAA if a healthcare prospect requires it; this requires moving certain subprocessors to BAA-eligible tiers (notably Cloudflare Enterprise) and adds material cost. Lead time: 3-5 weeks.
  • GDPR: We currently sell to US customers only. Customers outside the US are out of scope until we explicitly launch in-region.
  • This page (Tier 1 self-managed posture): Active. Updated at least annually or when a control material to the answers above changes.

Per-product details

  • Canopy security page — license heartbeat schema, machine fingerprint hashing, threat model, downloadable releases hash list.

Reporting a vulnerability

Email privacy@gulfshieldtech.com with details of the issue. We aim to acknowledge within two business days and remediate critical issues within seven days. Please don't disclose publicly until we've had a chance to investigate and ship a fix; we'll credit you in the incident summary if you'd like.

Procurement / questionnaires

For CAIQ, SIG Lite, or company-specific security questionnaires, email hello@gulfshieldtech.com with the document attached. Most standard questions are answered above; we'll fill in the form and return it within five business days.