How we secure your data.

Compliance

• SOC 2 Type II — annual audit. Report available under NDA via contact sales.
• GDPR — Data Processing Addendum at /legal/dpa.
• CCPA / CPRA — covered under our privacy policy.
• Google API Services User Data Policy — full disclosure at /legal/google-api-disclosure.

Technical controls

Encryption

All data is encrypted in transit (TLS 1.2 minimum, TLS 1.3 preferred) and at rest (AES-256). Customer secrets and OAuth tokens are encrypted using a per-workspace data encryption key wrapped by a KMS-managed master key.

Access control

Role-based access control inside every workspace. SAML 2.0 / OIDC SSO and SCIM provisioning available on Studio and Scale. Internal access to production data is restricted to a small on-call rotation, time-limited, and audited.

Workspace isolation

Strict per-workspace data isolation. Cross-workspace data access is impossible by design — there is no internal API path that can return data for two workspaces in one query.

Vulnerability management

Continuous dependency scanning, automated container scanning, and an annual third-party penetration test. Critical vulnerabilities are patched within 48 hours of disclosure.

Audit logging

Every action against the platform is logged with actor, target, and timestamp. Audit logs are exportable to your SIEM via webhook on the Scale plan.

Incident response

We notify affected customers within 72 hours of confirming a personal data breach, in line with our DPA and applicable law. Postmortems for service-affecting incidents are published on the blog within 5 business days.

Reporting a vulnerability

Email security@gbphive.com with details. We acknowledge within one business day and we do not pursue legal action against good-faith researchers who follow responsible disclosure.