Security
Security isn't a feature we bolt on — it's the foundation Gridlock is built on. As an autonomous security platform, we hold ourselves to the same standards we provide to our customers.
Encryption
AES-256 Encryption
All data stored in our systems — databases, file storage, backups — is encrypted using AES-256, the gold standard for data-at-rest encryption used by governments and financial institutions.
TLS 1.3
All data transmitted between your browser, API clients, and our infrastructure is protected with TLS 1.3. We enforce HTTPS on all endpoints and reject insecure connections.
Key Management
Encryption keys are managed through infrastructure-level key management services, rotated on a regular schedule, and never stored alongside the data they protect.
Infrastructure Security
Railway Infrastructure
Gridlock runs on Railway's US-based cloud infrastructure with built-in network isolation, automated patching, and physical data center security. Railway maintains SOC2 compliance.
Network Security
All services communicate through private networks. External traffic is routed through load balancers with DDoS protection. Database servers are not publicly accessible.
24/7 Monitoring
Infrastructure metrics, application health, and anomaly detection run continuously. Automated alerting triggers immediate investigation of any suspicious activity.
Access Controls & Audit Logging
Access to production systems is tightly controlled:
- Role-based access control (RBAC): Team members have the minimum permissions required for their role
- Multi-factor authentication: Required for all internal access to production systems
- Audit logging: Every access to customer data is logged with timestamp, identity, and action taken
- Least-privilege principle: No standing access to production databases — all access is temporary and audited
- Separation of duties: Code deployment and production access require separate authorization
Access logs are retained for 1 year and reviewed quarterly. Any unauthorized access attempt triggers immediate investigation and customer notification.
Compliance Roadmap
We are actively working toward industry-standard compliance certifications:
SOC2 Type I
Audit of our security controls, policies, and procedures. We are currently scoping the engagement with a qualified auditor and expect certification by Q3 2026.
SOC2 Type II
Continuous monitoring and audit of our controls over a 6-month observation period, demonstrating sustained security posture.
HIPAA-Ready Architecture
Our infrastructure and data handling practices are designed to be HIPAA-compliant. Encryption, access controls, audit logging, and Business Associate Agreement (BAA) support are built into the architecture. Formal HIPAA compliance assessment planned for Q4 2026.
Data Residency
All customer data is stored in the United States on Railway's US-based infrastructure. Data does not leave US jurisdiction unless explicitly configured for multi-region deployment (Enterprise plan feature).
Backups are stored within the same US region. We do not replicate data to international data centers.
Vulnerability Management
- Dependency scanning: Automated scanning of all third-party dependencies for known vulnerabilities
- Code review: All changes are peer-reviewed before merging to production
- Penetration testing: Regular third-party penetration testing (planned cadence: quarterly)
- Patch management: Critical vulnerabilities patched within 24 hours; non-critical within 7 days
Responsible Disclosure
We take security vulnerabilities seriously and appreciate the efforts of security researchers. If you believe you have discovered a vulnerability in Gridlock, we encourage you to report it responsibly.
What we commit to:
- Acknowledge your report within 24 hours
- Provide a detailed response within 5 business days
- Keep you informed of remediation progress
- Not take legal action against researchers who follow responsible disclosure practices
Please do not: access, modify, or delete other users' data; degrade service availability; or exploit the vulnerability beyond what's needed to demonstrate it.
⟨ Report a Vulnerability ⟩
If you've found a security issue, please report it to our security team. We appreciate responsible disclosure.
[email protected]