Security & Privacy

Your Brand Data Is Not
Our Business Model.

Your data never trains AI models. 470+ RLS policies guard every row. Zero-retention agreements with every AI provider. We built the security so you can forget about it.

SOC 2 Type II

Infrastructure certified via AWS

GDPR Aligned

Data isolation, access control & export tools

ISO 27001

AWS hosting certified

AES-256 · TLS

Encrypted at rest and in transit

PCI DSS

Payments via Stripe (Level 1)

CCPA Aligned

Privacy mechanisms in place

Security at Every Step

1 Who Gets In (And Who Doesn't)

  • • Email/password authentication with mandatory email verification
  • • Google OAuth with whitelisted redirect URL validation
  • • Account approval workflow — new accounts require administrator verification
  • • MFA via TOTP — compatible with Google Authenticator, Authy, 1Password, Microsoft Authenticator
  • • Organisation-level MFA enforcement — admins can require MFA for all team members
  • • Protected routes — every page gated behind access-level checks

2 Your Data, Your Rules

  • • Your data is never used to train, fine-tune, or improve any AI models — ours or anyone else's
  • • We only store data necessary to deliver the service — no collection or monetisation beyond what's required
  • • On-demand data removal — deletion requests honoured promptly per GDPR
  • • Self-service data export supporting GDPR Article 15 (Access) and Article 20 (Portability)

3 Your Data Can't See Their Data

  • • 470+ Row-Level Security (RLS) policies enforced across 150+ tables
  • • All data scoped by partner and organisation identifiers — zero cross-tenant leakage by design
  • • Financial data (credits, transactions, purchases) scoped with administrator-only adjustment controls
  • • Cross-domain isolation — white-label partner accounts fully isolated from one another
  • • Composite identity model — separate profiles, roles, and activity histories across domains

4 Not Everyone Gets the Keys

  • • Platform Roles — Super Admin, Admin, User (platform-wide permissions)
  • • Organisation Roles — Org Admin, Manager, Member (within-org access)
  • • Self-escalation prevention enforced at the database level
  • • Single active organisation enforcement per user per partner
  • • 22 Security Definer functions for safe role-checking without recursive policy issues

5 What Happens When We Talk to the AI

  • • 48+ AI models accessed via enterprise-tier API agreements with zero-data-retention clauses
  • • Server-side key management — API keys never exposed to browsers or frontend code
  • • Brand Vault data retrieved via vector search (RAG), injected only at moment of use, never sent in bulk
  • • Providers: Anthropic, OpenAI, Google AI, xAI, Perplexity, DeepSeek, ElevenLabs, HeyGen

6 Built Like a Bank. Runs Like a Startup.

  • • Amazon Web Services (AWS) — SOC 2 Type II and ISO 27001 certified
  • • 80+ edge functions running in isolated Deno-based sandboxes with limited permission grants
  • • Database not directly accessible from public internet — all access via authenticated API gateway
  • • Continuous automated backups with point-in-time recovery (PITR)
  • • Strict environment separation — Test and Production fully isolated
  • • Managed DDoS mitigation at the infrastructure layer

7 Continuous Protection

Our application layer defends against common web vulnerabilities:

  • • CORS headers on all backend functions with origin whitelisting
  • • HTML/SVG sanitisation via DOMPurify to prevent XSS injection
  • • Content Security Policy (CSP) on all HTML previews
  • • SSRF protection on all scraping and web tool functions
  • • Input validation with parameter checking, type validation, and length limits
  • • Client-side schema-based validation on all form inputs

Third-Party Subprocessors

Category Provider(s) Data Shared
InfrastructureAWS, SupabaseAll platform data (encrypted at rest)
AI ProvidersAnthropic, OpenAI, Google AI, xAI, Perplexity, DeepSeekQuery prompts only (zero retention)
Media GenerationElevenLabs, HeyGen, image model providersGeneration prompts only (zero retention)
PaymentsStripePayment data only (PCI DSS Level 1)

What's Next

We are committed to continuously strengthening our security posture. The following enhancements are in active development:

Session timeout / idle logout

Prevents unattended session hijacking

Login attempt rate limiting

Protects against brute-force attacks

Extended audit trail

Comprehensive logging of all user actions

Self-service data erasure

Full GDPR Article 17 self-service compliance

IP allowlisting

Restrict access to known corporate networks

Password complexity requirements

Enforced minimum length and character variety

Session management dashboard

View and revoke active sessions

Penetration testing programme

Scheduled third-party security assessments

The Boring Stuff We Do Religiously

Where is my data stored?
All data is stored on SOC 2 Type II and ISO 27001 certified AWS infrastructure with AES-256 encryption at rest and TLS encryption in transit. Your data is isolated via 470+ Row-Level Security policies across 150+ tables, ensuring zero cross-tenant leakage.
Do you train on my data?
Never. Your brand data, outputs, and conversations are never used to train any AI models. All AI providers are accessed through enterprise-tier API agreements that include zero-data-retention clauses. No customer data is stored by or made available to any model provider.
What compliance certifications do you have?
Our infrastructure is SOC 2 Type II and ISO 27001 certified (via AWS). We are GDPR aligned with data isolation, access controls, consent mechanisms, and export tools in place. We are CCPA aligned with user data scoping and privacy mechanisms. Payments are handled by Stripe (PCI DSS Level 1).
How do you handle MFA?
gimmefy supports Multi-Factor Authentication via time-based one-time passwords (TOTP). It's compatible with Google Authenticator, Authy, 1Password, and Microsoft Authenticator. Organisation administrators can enforce MFA for all team members, and individual users can also enable it independently.
What subprocessors do you use?
Our subprocessors include AWS and Supabase (infrastructure), Anthropic/OpenAI/Google AI/xAI/Perplexity/DeepSeek (AI — zero retention), ElevenLabs/HeyGen (media — zero retention), and Stripe (payments — PCI DSS Level 1). All are held to our security standards with contractual obligations.
How do you handle AI model provider security?
We route queries through 48+ AI models via enterprise-tier APIs with zero-data-retention clauses. All API keys are managed server-side within secured edge functions — never exposed to browsers. Brand data is retrieved via vector search and injected only at the moment of use.
Can I export my data?
Yes. Self-service data export is available, allowing you to retrieve your platform data on demand. This supports your rights under GDPR Article 15 (Right of Access) and Article 20 (Right to Data Portability).
What happens if there's a breach?
We have a documented incident response plan with notification within applicable regulatory timelines. All affected customers are notified per GDPR requirements. Our infrastructure includes automated monitoring and alerting for anomalies.
Is SSO supported?
We support Google OAuth with whitelisted redirect URL validation. All authentication includes mandatory email verification and optional MFA enforcement at the organisation level.
Can I get a Data Processing Agreement (DPA)?
Yes. We provide a standard DPA on request for enterprise customers. Contact support@gimmefylabs.com for details.

Need the Full Security Whitepaper?

For security questionnaires (SIG, CAIQ, VSA) or a detailed copy of our Data & Security Whitepaper v2.1, get in touch.

Contact support@gimmefylabs.com