Security & Compliance
Serious about the data you put in our hands.
Enterprise buyers ask for a security page before they ask for a quote. This is it. The posture, the practices, and the commitments — documented, not implied.
Compliance posture
Where we stand, today.
Type I audit scheduled Q3 2026. Controls framework in place today (access logging, change management, incident response).
AuditGrid platform ships HIPAA-aware architecture: BAAs with all infra vendors, PHI encryption at rest + in transit, append-only audit logs, role-scoped data access.
Data processing terms available, subprocessor list maintained, user data deletion SLA of 30 days.
Third-party pentest on all production SaaS surfaces. Remediation tracked publicly on a separate dashboard.
Responsible disclosure accepted at security@gatorbyte.net. 90-day coordinated disclosure window.
How we build
The six pillars of a defensible build.
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit. No exceptions. Managed KMS for key rotation.
Least-privilege access
Role-based access enforced at the database layer, not just in app code. Admins can only see what their role allows.
BAA-covered infrastructure
Netlify, Postgres, email, and monitoring vendors all covered under signed Business Associate Agreements where applicable.
Immutable audit trail
Every PHI read/write is logged with actor, timestamp, resource ID. Append-only. Retained for regulatory-minimum periods.
Pre-rehearsed incident response
IR plan rehearsed quarterly. Runbooks for the top 10 incident categories already written. Notification SLAs documented.
Continuous monitoring
Real-time alerting on auth anomalies, rate-limit breaches, and unexpected data egress. 24/7 on-call for managed SaaS.
Documentation
What enterprise procurement usually asks for.
Pre-answered security questionnaire
SIG Lite + CAIQ Lite completed. Shared on request.
Data Processing Addendum (DPA)
GDPR / CCPA-compliant template. Available for signature.
Subprocessor list
Maintained live. 30-day notice on additions.
Business Associate Agreement
Signed with every healthcare customer and upstream infra vendor.
Incident response plan
Runbooks for 10 incident categories. Notification SLAs defined.
Penetration test reports
Redacted executive summary shareable under NDA.
FAQ
Answers to the questions procurement usually asks.
Is GatorByte SOC 2 certified?
SOC 2 Type I is scheduled for Q3 2026. The controls required for Type II (access logging, change management, incident response, vendor management) are in place today. We can share our current control matrix on NDA.
Do you sign BAAs for healthcare engagements?
Yes. Every healthcare platform we build or operate (including AuditGrid) runs under signed BAAs with infrastructure vendors and with the customer. We will sign your standard BAA or ours.
Where does customer data live?
By default: US-East PostgreSQL (Netlify / managed Postgres). Netlify Edge CDN for static assets. We can deploy to customer-controlled infrastructure for regulated enterprise engagements.
How do you handle subprocessors?
Full subprocessor list maintained and published on request. 30-day advance notice before adding any subprocessor that touches customer data.
How do we report a vulnerability?
Email security@gatorbyte.net or use our /.well-known/security.txt file. 90-day coordinated disclosure. We respond within 48 hours, triage within 5 business days.
Responsible disclosure
Found something? Tell us.
We operate a coordinated disclosure program. Report vulnerabilities to security@gatorbyte.net. We acknowledge within 48 hours, triage within 5 business days, and coordinate disclosure within 90 days.