Legal
Trust, Security & Compliance
Last updated: June 29, 2026
1. Shared responsibility
GCPR is a multi-tenant SaaS platform. Security is shared:
- GCPR Communications LLC LLC operates the platform, manages infrastructure providers, and enforces tenant isolation, access controls, and incident response.
- Customers (firms and account admins) are responsible for choosing strong passwords, enabling MFA where available, managing their own users and roles, and the lawful basis for any data they upload.
- Infrastructure providers (listed in our Subprocessors page) carry their own certifications for the layers they operate.
2. Technical controls in place today
Encryption in transit
In placeAll traffic to GCPR is served over HTTPS with TLS 1.2 or higher. HSTS is enabled on the production domain.
Encryption at rest
In placeApplication data, file uploads, and backups are stored in Postgres and object storage that are encrypted at rest by our infrastructure provider using AES-256.
Tenant isolation (Row-Level Security)
In placeEvery multi-tenant table enforces Postgres Row-Level Security scoped by firm_id and auth.uid(). A firm admin cannot read another firm's invoices, clients, campaigns, files, or messages. We run an automated cross-firm isolation test suite (scripts/security-test-cross-firm.ts) against every release.
Role-based access control
In placeFive roles (admin, lead, hr_lead, member, assistant) plus a platform-owner override path. Permissions are centralized in src/lib/permissions.ts and enforced both in the UI and at the database layer via security-definer functions.
Authenticated server functions
In placeAll privileged server endpoints require a Supabase bearer token and re-validate the caller. Public webhooks verify provider signatures (Stripe) before processing.
Secret management
In placeAPI keys and service-role credentials are stored as managed environment secrets, never committed to source. The service-role database key is server-only and never reaches the browser bundle (enforced by build-time import protection).
Audit logging
In placeSensitive actions (billing changes, admin overrides, branding changes, contract events, invoice events) write to immutable audit tables (billing_audit_log, platform_audit_log, branding_audit_log, invoice_events, email_events).
Payment data scope
In placeCard data is collected and processed by Stripe (PCI DSS Level 1). GCPR never sees full card numbers, CVV, or authentication data.
Backups & point-in-time recovery
In placeDatabase backups and point-in-time recovery are provided by our managed Postgres host. RPO/RTO targets are inherited from that provider.
Data subject rights
In placeAccount holders can export and delete their data through the settings area, or by emailing privacy@gcprhq.com. Customer admins can do the same for their portal clients.
3. Compliance status — honest
GDPR / UK GDPR / CCPA — operational compliance
In placeWe publish a Privacy Policy, a Cookie Notice, and a Data Processing Addendum referencing the EU Standard Contractual Clauses and the UK IDTA. We honor data subject access, deletion, and portability requests.
PCI DSS — out of scope via Stripe
In placeWe do not store, process, or transmit cardholder data. PCI obligations are met by Stripe (Level 1 service provider).
SOC 2 Type I
In progressWe are aligning policies and controls to the AICPA Trust Services Criteria (Security, Availability, Confidentiality). A Type I report requires an audit by a licensed CPA firm and is not complete. We do not claim SOC 2 today.
SOC 2 Type II
Not yetPlanned after Type I, requires a 6-12 month observation window. We do not claim SOC 2 Type II today.
ISO/IEC 27001
Not yetUnder evaluation. Requires a documented ISMS and audit by an accredited certification body. We do not claim ISO/IEC 27001 today.
HIPAA
Not yetOur current architecture has many controls a HIPAA-compliant workload requires (encryption, RLS, audit logging, access control), but we have not executed Business Associate Agreements with all required subprocessors. Do not upload Protected Health Information (PHI) to GCPR. HIPAA-ready tiers with signed BAAs are on the Enterprise roadmap.
Third-party penetration test
Not yetAnnual third-party penetration test is on our roadmap. We currently rely on internal review, dependency scanning, and automated isolation tests.
If your procurement process requires a current SOC 2 report, ISO 27001 certificate, signed BAA, or completed CAIQ/SIG questionnaire, please contact us — we will tell you honestly whether we can meet the requirement today or not.
4. Incident response
We monitor application errors, authentication anomalies, and payment-webhook failures. On confirmation of a security incident affecting customer data, we will notify affected customers without undue delay (target: within 72 hours of confirmation) at the admin email on file, with the information they need to satisfy their own notification obligations under GDPR Art. 33-34 or applicable US state law. Our processor-side breach commitments are in the DPA.
5. Reporting a vulnerability
Security researchers and customers can report suspected vulnerabilities through our Responsible Disclosure page. We do not currently pay bounties but we acknowledge valid reports and credit researchers on request.
6. Contact
Security & compliance inquiries: security@gcprhq.com. Privacy requests: privacy@gcprhq.com. General: info@gcprhq.com.
© 2026 GCPR Communications LLC LLC. All rights reserved.
