All data moving between your browser and our servers is encrypted via TLS. Sensitive vault data uses AES-256-GCM at rest.
Hosted on infrastructure based in the United States. EU/EEA data residency available on request for enterprise contracts.
Production systems require multi-factor authentication. Principle of least privilege enforced across all internal services.
Security practices
- Encryption in transit: All public-facing endpoints enforce HTTPS with TLS 1.2 or higher. HTTP is redirected to HTTPS.
- Encryption at rest: Sensitive configuration data and secret keys are stored using AES-256-GCM symmetric encryption within our internal vault system.
- Access controls: Production server access is restricted to authorised personnel via SSH key authentication with MFA. No password-based SSH.
- Secret management: API credentials and keys are never stored in source code or version control. They are managed via an encrypted secrets vault.
- Dependency management: We maintain a process for reviewing and updating third-party dependencies. Security patches are applied promptly.
- Backups: Critical data is backed up regularly and stored in geographically separate locations.
- Monitoring: Server logs are monitored for anomalous activity. Alerts are configured for key security events.
Sub-processors
Gilligan Tech Inc. uses the following third-party sub-processors to deliver its services. Each operates under its own data protection agreements and complies with applicable privacy law.
| Sub-processor | Role | Primary region | Privacy / DPA |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud compute, storage, and AI model inference (Bedrock) | US East / EU available | aws.amazon.com/privacy |
| Google Cloud / Vertex AI | LLM inference and AI services | US / EU available | cloud.google.com/privacy |
| Microsoft Azure / Azure OpenAI | LLM inference and enterprise AI services | US / EU available | privacy.microsoft.com |
| Cloudflare | CDN, DDoS protection, DNS, Workers AI inference | Global (anycast) | cloudflare.com/privacypolicy |
| NVIDIA (NIM / Inference Microservices) | GPU-accelerated AI model inference | US | nvidia.com privacy policy |
| Hetzner Online GmbH | Dedicated server hosting (compute infrastructure) | EU (Germany / Finland) | hetzner.com/legal/privacy-policy |
We will notify customers of material changes to our sub-processor list with at least 30 days' notice where required by a Data Processing Agreement. To receive notifications, email dave@gilligantechinc.com.
Compliance posture
Gilligan Tech Inc. is a small, high-security engineering team. We do not yet hold independent SOC 2, ISO 27001, or HIPAA certifications in our own name. However:
- Our cloud infrastructure providers (AWS, Google Cloud, Microsoft Azure) maintain SOC 2 Type II, ISO 27001, HIPAA, and other certifications — their certified environments underpin our services.
- We apply GDPR-aligned data handling practices for all users, regardless of jurisdiction.
- Enterprise customers may request a Data Processing Agreement (DPA) or security questionnaire response by emailing dave@gilligantechinc.com.
- We are actively working toward formal compliance certifications as we grow.
Responsible disclosure
If you discover a security vulnerability in our systems or website, we ask that you disclose it responsibly. Please email dave@gilligantechinc.com with details of the issue. We aim to:
- Acknowledge receipt within 2 business days.
- Provide an initial assessment within 5 business days.
- Work toward a fix and notify you when it is deployed.
We do not currently operate a formal bug bounty programme, but we genuinely appreciate responsible disclosure and will acknowledge researchers who help us improve security.
Contact
Security enquiries, DPA requests, or sub-processor change notifications:
dave@gilligantechinc.com