Security Policy

Last Updated: February 1, 2026

Our Commitment

At GullStack Trust, security is foundational to everything we build. We implement enterprise-grade security measures to protect your data and ensure the reliability of our platform.

Infrastructure Security

Hosting & Architecture

  • Application hosted on Vercel's enterprise infrastructure
  • Backend services on Railway with isolated containers
  • PostgreSQL database with automated backups
  • Redis caching layer with encryption
  • Global CDN for fast, secure content delivery

Network Security

  • TLS 1.3 encryption for all data in transit
  • DDoS protection at the network edge
  • Web Application Firewall (WAF) rules
  • Regular security scanning and penetration testing

Data Protection

Encryption

  • In Transit: All connections use TLS 1.2 or higher
  • At Rest: Database encryption using AES-256
  • Secrets: Environment variables and API keys stored encrypted

Access Control

  • Role-based access control (RBAC) with 7 permission levels
  • Multi-factor authentication (MFA) support
  • Session management with secure, HTTP-only cookies
  • Automatic session expiration after inactivity

Application Security

Secure Development

  • Code review required for all changes
  • Automated security scanning in CI/CD pipeline
  • Dependency vulnerability monitoring
  • Regular security training for development team

Input Validation

  • Server-side validation using Zod schemas
  • SQL injection prevention via parameterized queries (Prisma ORM)
  • XSS protection with content sanitization
  • CSRF protection on all state-changing operations

Authentication & Authorization

  • Google OAuth 2.0 for single sign-on
  • JWT tokens with secure signing (RS256)
  • Password hashing with bcrypt (cost factor 12)
  • Account lockout after failed login attempts
  • Secure password reset flow with time-limited tokens

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store credit card numbers on our servers.

  • Stripe.js for client-side card collection
  • Tokenization of payment methods
  • Webhook signature verification
  • Stripe Connect for secure tenant payouts

Monitoring & Response

Monitoring

  • 24/7 infrastructure monitoring
  • Real-time alerting for anomalies
  • Comprehensive audit logging
  • Error tracking and performance monitoring

Incident Response

  • Documented incident response procedures
  • Severity classification system
  • Customer notification within 72 hours of confirmed breach
  • Post-incident review and remediation

Compliance

  • CCPA: California Consumer Privacy Act compliance
  • GDPR: General Data Protection Regulation compliance
  • PCI DSS: Payment security via Stripe
  • SOC 2: Type II certification in progress

Note: GullStack Trust is not a HIPAA covered entity. We do not store or process Protected Health Information (PHI).

Vulnerability Disclosure

We appreciate the security research community. If you discover a security vulnerability, please report it responsibly:

  • Email: security@gullstack.com
  • Include detailed steps to reproduce the issue
  • Allow us reasonable time to address the issue before public disclosure

Contact

For security questions or concerns:

  • Security Team: security@gullstack.com
  • General Inquiries: support@gullstack.com