Security that earns IT approval
Real estate agents handle their clients' most sensitive financial data. This page documents the specific technical controls protecting it -- not marketing copy, but the actual implementation.
Encryption
AES-256 at rest. TLS 1.3 in transit. HSM-backed secrets.
Every byte of client data is encrypted with the same standards used by banks and governments. No shortcuts, no exceptions.
AES-256 encryption at rest (Azure PostgreSQL)
All data stored in Azure Database for PostgreSQL is encrypted using AES-256 via Azure Storage Service Encryption. Encryption keys are managed by the platform and rotated automatically -- your data is never stored in plaintext.
TLS 1.3 enforced for all connections
Every connection between your browser and Gift of Gab uses TLS 1.3, the latest transport-layer protocol. Older TLS versions (1.0, 1.1) are rejected at the Azure Front Door edge. Certificate management is automated through Azure-managed certificates with auto-renewal.
Azure Key Vault with HSM-backed protection
All API keys, webhook signing secrets, database credentials, and JWT signing keys are stored in Azure Key Vault. Secrets are fetched at runtime via Managed Identity -- they never exist in application code, environment variables, or config files. Webhook secrets follow the convention crm-{provider}-{orgId} with 5-minute cache TTL.
Managed Identity -- no stored credentials
Our API authenticates to Azure services (Key Vault, PostgreSQL, Container Registry) using Azure Managed Identity. There are zero passwords or connection strings in the codebase. The identity is scoped to the specific Container App and cannot be used from any other resource.
Infrastructure
Azure Canada Central. SOC 2 Type II infrastructure. Zero trust.
Every component runs inside Microsoft Azure's Canada Central region. Your data never leaves Canadian soil.
Azure Canada Central -- data residency guaranteed
Compute (Azure Container Apps), database (Azure Database for PostgreSQL Flexible Server), secrets (Azure Key Vault), and CDN (Azure Front Door) all run in the Canada Central region (Toronto). Data at rest and in transit stays within Canadian borders, satisfying PIPEDA data residency expectations and provincial privacy legislation.
SOC 2 Type II, ISO 27001, FedRAMP (Azure)
Our infrastructure provider, Microsoft Azure, maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and FedRAMP High certifications. Azure compliance reports are available on request through our trust center. We inherit these controls by design -- our architecture does not introduce exceptions.
Azure Container Apps with auto-scaling
Our API runs as a non-root container on Azure Container Apps with automatic horizontal scaling. The container image is built via multi-stage Docker build (SDK build to aspnet runtime), pushed to a private Azure Container Registry (giftofgab.azurecr.io), and deployed through GitHub Actions CI/CD with staging gate and manual production approval.
Zone-redundant PostgreSQL with 35-day PITR
Azure Database for PostgreSQL Flexible Server runs in a zone-redundant configuration with automatic failover. Point-in-time restore (PITR) is configured for 35 days -- we can recover your data to any second within that window. Automated backups are geo-redundant.
Azure Front Door with WAF and DDoS protection
All traffic routes through Azure Front Door, which provides Layer 7 load balancing, TLS termination, Web Application Firewall (WAF) rules, and built-in DDoS protection. Geographic filtering restricts traffic to expected regions.
Authentication & Access Control
JWT auth. httpOnly cookies. RBAC with capability policies.
Industry-standard authentication hardened with defense-in-depth against session hijacking, CSRF, brute force, and privilege escalation.
JWT authentication with strict validation
Authentication uses JSON Web Tokens with RS256 signing. Production enforces minimum 32-character secrets with automated checks that reject placeholder values. Tokens carry organization ID, user ID, and role claims. Token lifetime is short-lived with refresh token rotation.
httpOnly, Secure, SameSite cookies
Auth tokens are stored in httpOnly cookies with Secure and SameSite=Strict flags. Tokens are never stored in localStorage or sessionStorage, making them immune to XSS-based token theft. JavaScript cannot read or exfiltrate authentication credentials.
Role-Based Access Control with 12+ capability policies
Four organizational roles (Owner, Admin, Team Lead, Agent) are enforced through ASP.NET Core authorization policies. Capabilities are granular: CanViewContacts, CanCreateContacts, CanUpdateContacts, CanDeleteContacts, CanViewInteractions, CanCreateInteractions, CanIngestContacts, CanManageIntegrations, CanManageSettings, CanManageUsers, and more. Every API endpoint declares its required policy.
Multi-tenant data isolation
Every database query is scoped by OrganizationId. There is no global query that can return data across tenants. The OrgId is extracted from the authenticated JWT -- it cannot be spoofed via query parameters or request body. Entity Framework query filters enforce this at the ORM level.
Rate limiting on sensitive endpoints
Authentication, webhook, and AI endpoints are rate-limited using ASP.NET Core's built-in rate limiting middleware. Brute force login attempts trigger progressive backoff. The rate limiter is configured per-endpoint with separate policies for public and authenticated routes.
CSRF protection via custom header validation
All API calls require a custom X-Requested-With header. Requests without this header are rejected before reaching controller logic. This mitigates cross-site request forgery by ensuring requests originate from our frontend, not from third-party sites.
SAML 2.0 SSO for enterprise brokerages
Enterprise brokerage customers can federate authentication through SAML 2.0 Single Sign-On. Our SsoService handles AuthnRequest generation, assertion validation with XML signature verification, auto-provisioning of SSO-authenticated users, and JWT issuance. Agents sign in with their brokerage credentials -- no separate Gift of Gab password needed.
Response Hardening
9 security headers on every response. No exceptions.
Our SecurityHeadersMiddleware enforces a strict header policy on every HTTP response. These are not optional -- they are applied at the middleware level before any controller logic runs.
Strict-Transport-Security (HSTS)
max-age=31536000; includeSubDomains; preload -- forces HTTPS for 1 year across all subdomains. We are on the HSTS preload list.
Content-Security-Policy (CSP)
Restrictive CSP: default-src 'self'; script-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests. Only whitelisted domains (our API, Azure Application Insights, Google Fonts) are allowed. No inline scripts.
X-Frame-Options: DENY
Prevents our pages from being embedded in iframes on any domain, blocking clickjacking attacks entirely.
Additional headers enforced
X-Content-Type-Options: nosniff (prevents MIME sniffing), Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy (camera disabled, microphone self-only for VoIP, geolocation/payment/USB disabled), Cache-Control: no-store on all API responses (PII protection), Server and X-Powered-By headers stripped.
CASL & TCPA Compliance
Consent tracking. Cryptographic unsubscribe. Suppression lists.
Real estate communication is heavily regulated. Gift of Gab enforces compliance at the platform level so agents cannot accidentally violate CASL or TCPA rules.
CASL consent gate -- SMS blocked without consent
Our CaslConsentRecordLookup service checks for active, non-revoked consent before any automated SMS is sent. The system queries the SmsConsentRecord table filtering by agent, contact, ConsentGranted=true, and RevokedAt=null. If no valid consent record exists, the message is blocked at the orchestration layer -- it never reaches Twilio.
Granular consent tracking with audit trail
Every consent record captures: agent ID, contact ID, consent method (verbal, written, electronic), granting timestamp, expiration date (1-year PIPEDA renewal cycle), IP address of the recording party, and optional conversation ID linking to the call where consent was obtained. Consent can be revoked instantly via API, and revocation is timestamped and immutable.
Cryptographic unsubscribe tokens in every email
Every marketing email includes a one-click unsubscribe link powered by a cryptographically random 256-bit token (generated via RandomNumberGenerator). Tokens are URL-safe (Base64 with + and / replaced). When clicked, the EmailSuppressionService immediately adds the address to the suppression list. The token cannot be guessed or forged.
Email suppression list with global and per-org scope
The EmailSuppressionService maintains a suppression database checked before every outbound email. Suppressions can be global (across all organizations) or scoped to a specific organization. The EmailIngestionFilter checks suppression status before processing any inbound email. Once suppressed, an address stays suppressed until explicitly cleared by the recipient.
TCPA-compliant call recording consent
The ConsentController provides a full consent lifecycle for call recording: record consent (POST), check status (GET), and revoke (POST). Each consent record includes the method (verbal/written), a 1-year expiration for PIPEDA annual renewal, IP address logging, and linkage to the specific conversation. Expired consent triggers automatic re-consent prompts.
Do-Not-Call list respect
Gift of Gab integrates suppression checks at the communication layer. Contacts marked as suppressed, unsubscribed, or DNC are filtered out before any outbound communication -- email, SMS, or call -- is initiated. The system enforces this at the orchestration level, not just the UI, so no automated workflow can bypass it.
Privacy & Data Governance
PIPEDA compliant. Your data, your rules. Personal call privacy wall.
We handle personal information under Canadian federal and provincial privacy law. Data minimization, purpose limitation, and individual access rights are built into the architecture.
PIPEDA and provincial privacy law compliance
Gift of Gab operates under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial legislation (PIPA in Alberta/BC, Quebec's Law 25). Personal information is collected for specific, stated purposes; used only for those purposes; and retained only as long as needed.
Personal/Business call privacy wall
Our PrivacyController enforces ADR-0055: private calls MUST NEVER leave the device. Agents classify phone numbers as personal or business. Numbers marked personal are stored in an encrypted local cache on the mobile device and never synced to the cloud. The backend serves as the classification authority with cursor-based incremental sync for business numbers only.
Configurable recording retention levels
Agents choose their own data retention level: (1) summary_only -- keep AI summaries, delete transcripts and recordings after processing; (2) summary_transcript -- keep summaries and transcripts, delete recordings after transcription; (3) keep_everything -- retain all data. This is enforced at the infrastructure level via the RetentionController and DataRetentionService.
Data never sold or shared
Gift of Gab never sells, shares, rents, or monetizes client data. Your CRM data is used solely to power your Gift of Gab experience. We do not use client data to train AI models. Our AI processing uses ephemeral context -- prompts and completions are not retained by our AI providers.
Right to deletion
Account holders can request complete deletion of their data. Our DataRetentionService handles automated purging on defined schedules (audit logs: 90 days, webhook events: 30 days, pipeline records: 60 days, anonymous events: 180 days). On-demand deletion requests are fulfilled within 30 days per PIPEDA requirements.
Audit Logging & Monitoring
Every action logged. Every anomaly flagged. 24/7.
Comprehensive audit trail with structured logging, real-time alerting, and automated incident detection.
Structured audit log with org-level visibility
Every security-relevant action is recorded in the AccessAuditLog table: user ID, organization ID, action, entity type, entity ID, access granted/denied flag, reason, IP address, user agent, and structured JSON metadata. Organization admins can view paginated, filterable audit logs through the API. Logs are retained for 90 days.
Authorization denial and override logging
Failed authorization attempts (policy denials) are logged with the actor's role, the required role, and the attempted action. Admin overrides (when an owner or admin acts on behalf of another user) are logged separately with full context. This creates an immutable paper trail for compliance investigations.
Webhook signature verification (HMAC)
All inbound webhooks from Stripe, Follow Up Boss, Twilio, Deepgram, Zoom, and Microsoft Teams are verified using HMAC signature validation. The WebhookVerifierFactory resolves the correct verifier per provider and fetches the signing secret from Key Vault. Webhooks that fail signature verification are rejected with HTTP 401 -- fail-closed, not fail-open.
Real-time monitoring with Sentry and Azure Application Insights
Application errors are captured in real-time via Sentry with full stack traces, request context, and user context. Azure Application Insights provides infrastructure-level telemetry: request rates, dependency latency, exception trends, and custom metrics. Alerts fire to the engineering team's notification channel within seconds of anomaly detection.
Health check endpoints
Deep health checks (DeepHealthCheck) verify database connectivity, Key Vault access, and external service availability. Shallow liveness probes (/api/health/live) confirm the process is running. Azure Container Apps uses these to automatically restart unhealthy instances.
Incident Response
Defined playbook. Rapid containment. Transparent communication.
When incidents happen, speed and transparency matter. Our incident response process is documented, rehearsed, and designed for rapid containment.
Incident classification and triage
Security incidents are classified by severity: P1 (data breach, unauthorized access), P2 (service compromise, credential exposure), P3 (vulnerability discovery, failed attack attempt). Classification determines response timeline: P1 triggers immediate all-hands response, P2 within 4 hours, P3 within 24 hours.
Containment and recovery
P1 containment includes: credential rotation via Key Vault, session invalidation, network isolation of affected containers, and database point-in-time restore if needed. Azure Container Apps allows instant rollback to a previous known-good container revision. The 35-day PITR window ensures data recovery from any point in time.
Notification to affected parties
In the event of a confirmed data breach, affected organizations are notified within 72 hours per PIPEDA breach notification requirements. Notification includes: what data was affected, when the breach occurred, what remediation actions were taken, and what steps the affected party should take. We also notify the Office of the Privacy Commissioner of Canada as required.
Post-incident review
Every P1 and P2 incident triggers a post-incident review (PIR) within 5 business days. The PIR produces a root cause analysis, a timeline of events, a list of remediation actions, and process improvements. PIR findings are shared with affected customers on request.
Security Testing
CI/CD guards. Automated scanning. Responsible disclosure.
Security is tested continuously, not just once a year. Our CI pipeline blocks insecure code from reaching production.
CI security guards (GitHub Actions)
Every pull request runs through ci-guards.yml: release build with TreatWarningsAsErrors=true, secret scanning to block credentials in code, legacy field blocking, and schema drift detection. Code that fails any guard cannot merge to main.
Automated dependency scanning
GitHub Dependabot monitors all NuGet (.NET) and npm (frontend) dependencies for known vulnerabilities. Critical CVEs trigger automated PRs. We track dependency versions through central package management (Directory.Build.props + Directory.Packages.props) to ensure consistent patching across all projects.
Penetration testing
Gift of Gab undergoes periodic penetration testing by qualified third-party security firms. Test scope includes the API surface, authentication flows, multi-tenant isolation, webhook endpoints, and the mobile applications. Findings are remediated on a priority schedule and re-tested before the next assessment. Contact security@giftofgab.ai for the most recent executive summary.
Data Retention
Defined retention schedules. Automated enforcement.
Our DataRetentionService runs as a background service every 24 hours, enforcing the following schedules via batch deletes. No manual intervention required.
| Data type | Retention period |
|---|---|
| Audit logs | 90 days |
| AI audit logs | 90 days |
| Webhook events (processed) | 30 days |
| Pipeline records | 60 days |
| Completed job queue | 30 days |
| Anonymous onboarding events | 180 days |
| Database backups (PITR) | 35 days |
| Call recordings (configurable) | Agent-controlled |
| Account data on deletion request | Deleted within 30 days |
Responsible Disclosure
Found a vulnerability? We want to hear from you.
We take security reports seriously. If you discover a vulnerability in Gift of Gab, please disclose it responsibly so we can protect our users.
How to report
- Email security@giftofgab.ai with a detailed description
- Include steps to reproduce, affected endpoints, and impact assessment
- Attach proof-of-concept code or screenshots where possible
- Use our PGP key for encrypted communication (available on request)
Our commitment
- Acknowledge receipt within 24 hours
- Provide an initial assessment within 72 hours
- Keep you updated on remediation progress
- Credit reporters in our security advisories (with permission)
- No legal action against good-faith security researchers
Need a security review for your brokerage?
We are happy to provide compliance documentation, answer your IT team's questionnaire, or schedule a call to walk through our security architecture.
Your clients trust you with their biggest purchase.
Trust Gift of Gab with your data. 14-day free trial. Enterprise-grade security from day one.