Security at GSTATIAC

Infrastructure Security

Enterprise-Grade Cloud Infrastructure

GSTATIAC is hosted on AWS (Amazon Web Services) with multiple redundancy layers:

• Multi-region deployment: Data is replicated across multiple geographic regions for high availability
• Auto-scaling infrastructure: Systems automatically scale to handle traffic spikes and DDoS attacks
• 99.9% uptime SLA: Enterprise customers receive guaranteed uptime with financial penalties for downtime
• Regular backups: Automated hourly backups with 30-day retention and point-in-time recovery

Network Security

• TLS 1.3 encryption: All data in transit is encrypted using the latest encryption standards
• DDoS protection: AWS Shield Advanced protects against network and application layer attacks
• Web Application Firewall (WAF): Blocks malicious traffic, SQL injection, and XSS attacks
• Private VPC: Database and internal services run in isolated virtual private clouds

Data Security

Encryption

• At-rest encryption: All databases and file storage use AES-256 encryption
• In-transit encryption: TLS 1.3 for all API and web traffic
• Key management: AWS KMS (Key Management Service) with automatic key rotation
• End-to-end encryption: Sensitive data like API keys are encrypted before leaving your browser

Data Privacy

• No credential storage: We never ask for or store your platform passwords. All platform connections use OAuth 2.0 or API tokens.
• Data isolation: Each customer's data is logically isolated in multi-tenant databases
• GDPR & CCPA compliant: We comply with all major privacy regulations
• Data residency options: Enterprise customers can choose where their data is stored

Application Security

Secure Development

• Security-first coding: All code follows OWASP secure coding guidelines
• Automated vulnerability scanning: Code is scanned for vulnerabilities before deployment
• Dependency management: Automated monitoring and updates for vulnerable dependencies
• Code reviews: All code changes require security-focused peer review

Access Controls

• Role-based access control (RBAC): Granular permissions for team members
• Two-factor authentication (2FA): Optional 2FA via TOTP apps or SMS
• SSO support: Enterprise customers can use SAML 2.0 single sign-on
• Session management: Automatic session timeouts and IP-based access restrictions
• Audit logs: Complete activity logs for compliance and forensic analysis

Platform Connections

OAuth 2.0 Authentication

We connect to advertising platforms using industry-standard OAuth 2.0:

• No password sharing: You authorize GSTATIAC directly through each platform's official login flow
• Token encryption: Access tokens are encrypted and stored in secure vaults
• Minimal permissions: We only request the minimum permissions needed for functionality
• Token refresh: Tokens are automatically refreshed without requiring re-authentication
• Revocable access: You can revoke GSTATIAC's access anytime from the platform's settings

Monitoring & Incident Response

24/7 Security Monitoring

• Real-time alerts: Automated alerts for suspicious activity and anomalies
• SIEM integration: Security Information and Event Management for threat detection
• Intrusion detection: Network and host-based intrusion detection systems
• Log aggregation: Centralized logging for security analysis and compliance

Incident Response

• Incident response team: Dedicated security team available 24/7
• Incident response plan: Documented procedures for containing and resolving security incidents
• Breach notification: We will notify affected customers within 72 hours of any data breach
• Post-incident reviews: Root cause analysis and corrective actions for all security incidents

Compliance & Certifications

Current Compliance

• SOC 2 Type II: Annual audit for security, availability, and confidentiality (in progress)
• GDPR: Full compliance with EU General Data Protection Regulation
• CCPA: Compliance with California Consumer Privacy Act
• PCI DSS: Compliant for payment card data (via Stripe)

Platform Certifications

• Google Partner: Certified Google Ads API partner
• Facebook Marketing Partner: Official Meta Business Partner
• TikTok Marketing Partner: Certified TikTok Ads API partner

Employee Security

Training & Policies

• Security training: All employees complete security awareness training
• Background checks: Background checks for all employees
• Least privilege access: Employees only have access to systems they need for their role
• Device management: Company devices with full-disk encryption and mobile device management
• Offboarding: Immediate access revocation when employees leave

Third-Party Security

Vendor Management

• Vendor security reviews: All vendors undergo security assessments
• Data processing agreements: DPAs with all vendors that handle customer data
• Minimal data sharing: We share only necessary data with third parties
• Subprocessor list: Transparent list of all data subprocessors available upon request

Penetration Testing

• Annual penetration tests: Third-party security firms conduct comprehensive pentests
• Bug bounty program: Rewards for security researchers who report vulnerabilities responsibly
• Remediation SLA: Critical vulnerabilities patched within 24 hours, high within 7 days

Business Continuity

Disaster Recovery

• Multi-region redundancy: Services can fail over to other regions automatically
• Recovery Time Objective (RTO): 4 hours for full service restoration
• Recovery Point Objective (RPO): Maximum 1 hour of data loss
• Regular DR drills: Quarterly disaster recovery testing

Security Questions?

We're committed to transparency about our security practices. If you have questions:

• Email: [email protected]
• Report vulnerability: [email protected] (PGP key available)
• Request security documentation: Enterprise customers can request SOC 2 reports, penetration test summaries, and other security documentation

Last Updated: February 1, 2026