Security Overview
Last updated: April 11, 2026
1. Data Encryption
Gift of Gab Tech Inc. employs industry-leading encryption standards to protect customer data throughout its lifecycle:
- At rest: All data stored in our databases and object storage is encrypted using AES-256 encryption. Database backups are similarly encrypted before being written to durable storage.
- In transit: All communications between clients and our servers are encrypted using TLS 1.3. We enforce HTTPS on all endpoints and do not support legacy TLS versions. Internal service-to-service communication is encrypted via mutual TLS where applicable.
- Key management: Encryption keys are managed through Azure Key Vault with automatic rotation policies. Keys are never stored alongside the data they protect.
2. Infrastructure
EMMA is hosted on Microsoft Azure, leveraging enterprise-grade cloud infrastructure with the following characteristics:
- Cloud provider: Microsoft Azure, a SOC 2 Type II and ISO 27001 certified platform.
- Data residency: Primary data processing occurs in Azure regions within the United States. Canadian data residency is available upon request for organizations requiring data to remain within Canadian borders.
- Container isolation: Application workloads run in isolated container environments with no shared tenancy at the infrastructure level.
- Network security: All production environments are protected by network security groups, web application firewalls (Azure Front Door), and DDoS protection services.
- High availability: Our architecture includes redundant components and automated failover to minimize downtime and ensure service continuity.
3. Access Controls
We implement strict access controls at every layer of the application:
- Role-Based Access Control (RBAC): The EMMA platform enforces granular role-based permissions. Organization owners, administrators, team leads, and agents each have precisely scoped access to data and functionality appropriate to their role.
- Multi-Factor Authentication (MFA): EMMA supports MFA-ready authentication flows. Enterprise customers can enforce MFA policies across their organization.
- Audit logging: All significant actions within the platform are recorded in a tamper-evident audit log, including user logins, data access events, configuration changes, and administrative actions.
- Principle of least privilege: Internal engineering access to production systems is restricted to authorized personnel and requires multi-factor authentication. Access is reviewed quarterly.
- Session management: JWT-based authentication tokens have configurable expiration periods. Sessions are invalidated upon logout or password change.
4. Incident Response
Gift of Gab Tech Inc. maintains a documented incident response plan that outlines procedures for identifying, containing, and resolving security incidents:
- Detection: Automated monitoring and alerting systems continuously scan for anomalous activity, unauthorized access attempts, and system integrity violations.
- Classification: Incidents are classified by severity (Critical, High, Medium, Low) with corresponding response timelines and escalation procedures.
- Notification: Affected customers are notified of confirmed data breaches within 72 hours of determination, in compliance with applicable privacy regulations including PIPEDA.
- Post-incident review: Every security incident undergoes a root-cause analysis. Findings are documented and remediation actions are tracked to completion.
5. Penetration Testing
We conduct regular security assessments to proactively identify and address vulnerabilities:
- External penetration testing: Third-party penetration tests are conducted at least annually by qualified security firms. Results and remediation timelines are available to enterprise customers under NDA.
- Automated vulnerability scanning: Continuous automated scanning of application dependencies and container images for known vulnerabilities (CVEs).
- Responsible disclosure: We maintain a responsible disclosure policy. Security researchers can report vulnerabilities to security@giftofgab.tech.
6. Employee Security Training
All Gift of Gab Tech Inc. personnel with access to customer data or production systems are required to complete:
- Security awareness training upon onboarding and annually thereafter.
- Role-specific training for engineering staff covering secure coding practices, OWASP Top 10 awareness, and secure deployment procedures.
- Phishing simulation exercises conducted periodically to maintain alertness to social engineering threats.
- Background checks for all personnel with access to production infrastructure.
7. Contact
For security-related inquiries, to report a vulnerability, or to request a detailed security questionnaire response, please contact us:
- Gift of Gab Tech Inc.
- Security Team: security@giftofgab.tech
- General Support: support@giftofgab.tech