Security

Security built into every layer.

This page is for the person your CTO will forward it to. Encryption, authentication, infrastructure, and incident response — written to answer the questions a security review actually asks.

AES-256 at rest TLS 1.3 in transit OAuth 2.0 + SSO/SAML Per-tenant isolation GDPR-ready
The security model

Four layers. Each enforced independently.

A breach of one layer doesn't cascade. Each layer has its own controls, logs, and failure modes.

Access

OAuth 2.0, SSO/SAML, role-based access control, and immutable audit logs. Least privilege by default.

Application

Per-tenant isolation, input validation, scoped tokens, and automated dependency scanning on every deploy.

Data

AES-256 at rest, TLS 1.3 in transit, managed key rotation, and encrypted backups that never leave the encryption boundary.

Infrastructure

Managed cloud with private subnets, network isolation, DDoS protection, WAF on edge endpoints, and continuous anomaly alerting.

Data protection

Encryption, retention, key management.

Customer data is encrypted end-to-end. Keys rotate on a documented schedule. You control retention.

Encryption at rest

AES-256 · cloud KMS · documented key rotation schedule

Encryption in transit

TLS 1.3 · HSTS · certificates auto-renewed via major public CAs

Backups

Encrypted · point-in-time restore · tested restore cadence

Tenant isolation

Row-level enforcement at application layer — not UI filtering

Call audio

Transcribed and discarded by default · configurable retention window

Data deletion

Account data removed within 30 days · export available before deletion

User authentication

Email magic link + OAuth · SSO/SAML on Scale plan

Integration auth

OAuth 2.0 for CRM, email, video, calendar, LinkedIn — no stored passwords

Permissions

Role-based access control · workspace-level · least privilege by default

Audit trail

Admin action audit log on Scale · immutable · timestamped · exportable

Token revocation

Revoke in source system → Gangly access ends immediately

Authentication

OAuth first. No raw credentials on our servers.

Every integration authenticates via OAuth 2.0. We store refresh tokens, not passwords. Revoke access in your source system and Gangly loses it immediately.

Infrastructure & incident response

Managed cloud. Named process, not improvisation.

Infrastructure

  • Managed cloud infrastructure with network isolation
  • Private subnets for application and database tiers
  • DDoS protection and WAF on all edge endpoints
  • Continuous log aggregation and anomaly alerting
  • Dependency and container scanning in CI on every push

Incident response

  • Documented incident response runbook with named on-call owners
  • Customer notification within 72 hours of a confirmed data incident
  • Post-incident report with root cause and corrective action
  • Public status page for degradations and outages
  • Responsible disclosure at security@getgangly.com

Responsible disclosure

Found a vulnerability?

We respond to responsible disclosure reports within one business day. Please don't publish before coordinating with us.

security@getgangly.com

Security reviews

Security questionnaires & DPAs

Security questionnaires, SOC 2 letters, and DPAs turn around within one business day. Email with your timeline and we'll coordinate.

security@getgangly.com

More security resources

Privacy policy, GDPR compliance, cookie policy, and trust overview — all in one place.

Privacy policy GDPR Trust overview

Questions your security team didn't see here?

Email security@getgangly.com or book a call. We'll answer every question — and tell you honestly if something isn't ready yet.

Email security team Book a security review call