Security Overview

Data Handling

GPCGuard processes GPC signals to produce decision outcomes and decision records. It does not collect or store personal data for profiling purposes.

• Signal processing paths use privacy-preserving hashing for request correlation — raw identifiers are not retained.
• Signal-processing logs are structured and redacted. Plaintext PII and secrets are not intentionally written to logs.
• Compliance telemetry is scoped to signal-processing observability: signal source, decision outcome, policy version.

Account and Tenant Isolation

Each customer account is isolated at the database level. One customer cannot access another customer's sites, decision records, or configuration.

• All dashboard reads and writes are scoped to the authenticated account via Row Level Security policies.
• Elevated internal access (service role) is restricted to authentication bootstrap — not general data operations.
• Cross-tenant access protections are enforced at the database policy boundary, not just application logic.

Infrastructure and Subprocessors

GPCGuard uses the following third-party infrastructure providers:

• Supabase — database, authentication, and edge function hosting.
• Vercel — dashboard hosting and CDN.

Enterprise customers can request a full subprocessor list as part of DPA or MSA review.

What This Page Does Not Claim

• GPCGuard is not currently SOC 2, ISO 27001, or otherwise third-party certified.
• This page does not constitute a formal security agreement or SLA.
• Incident response procedures are in place but not yet published as a formal runbook.
• This overview reflects current posture and will be updated as the product matures.

Security Contact

To report a vulnerability or security concern: security@gpcguard.app

For general support or enterprise security questions: support@gpcguard.app