Gangly
Start free trial
Security

Security built into every layer .

This page is for the person your CTO will forward it to. Encryption, authentication, infrastructure, incident response — written to answer the questions a security review actually asks.

The security model

Four layers. Each enforced independently.

A breach of one layer doesn't cascade. Each layer has its own controls, logs, and failure modes.

Access

OAuth 2.0, SSO/SAML, RBAC, audit logs

Application

Per-tenant isolation, input validation, scoped tokens, dependency scanning

Data

AES-256 at rest, TLS 1.3 in transit, managed key rotation, encrypted backups

Infrastructure

Managed cloud infrastructure, network isolation, DDoS protection, continuous monitoring

Data protection

Encryption, retention, and key management.

ENCRYPTION AT REST

Customer data encrypted with AES-256. Keys are managed via the cloud provider's KMS. Keys rotate on a documented schedule.

ENCRYPTION IN TRANSIT

TLS 1.3 on all customer-facing endpoints. HSTS enabled. Certificates issued by major public CAs and auto-renewed.

BACKUPS

Encrypted, point-in-time restore on the primary database. Tested restore cadence. Backups never leave the encryption boundary.

TENANT ISOLATION

Customer data is logically isolated per tenant with row-level checks enforced in the application layer — not relying on UI filtering.

CALL AUDIO

Audio from Zoom/Meet is transcribed and discarded by default. Retention window is configurable. You control the lifecycle.

DATA DELETION

Account deletion removes customer data within 30 days. Backups age out per retention policy. Export available before deletion.

Authentication

OAuth first. No raw API keys on our servers.

Every integration — CRM, email, video, calendar — authenticates via OAuth 2.0. We store refresh tokens, not credentials. Revoke access in your source system and Gangly loses it immediately.

USER AUTH

Email magic link + OAuth on all plans. SSO / SAML on the Scale plan.

INTEGRATION AUTH

OAuth 2.0 for CRM, email, video, calendar, and LinkedIn. No stored passwords.

PERMISSIONS

Role-based access control at the workspace level. Least privilege by default.

AUDIT TRAIL

Admin action audit log on the Scale plan. Immutable, timestamped, exportable.

Managed cloud, not bare metal.

INFRASTRUCTURE

Managed cloud, not bare metal.

INCIDENT RESPONSE

  • → Managed cloud infrastructure with network isolation
  • → Private subnets for application and database tiers
  • → DDoS protection and WAF on edge endpoints
  • → Continuous log aggregation and anomaly alerting
  • → Dependency and container scanning in CI

Named process, not improvisation.

  • → Documented IR runbook with named on-call owners
  • → Customer notification within 72 hours of confirmed data incident
  • → Post-incident report with root cause + corrective action
  • → Public status page for degradations and outages
  • → Responsible disclosure at security@getgangly.com

Security team

Found a vulnerability? Have a question?

We respond to responsible disclosure reports within one business day. Security questionnaires, SOC 2 letters, and DPAs turn around in the same window.

Run the full workflow in one tool.

Start free trial Book a demo