Legal

Trust, Security & Compliance

Last updated: June 29, 2026

This page is maintained by GCPR Communications LLC LLC to answer common security and privacy questions about GCPR. It describes controls that are actually live in the product today, work that is in progress, and items on our roadmap. It is not a third-party certification. Where a formal certification (SOC 2, ISO 27001) or a legal framework (HIPAA) applies, we say so explicitly.

1. Shared responsibility

GCPR is a multi-tenant SaaS platform. Security is shared:

  • GCPR Communications LLC LLC operates the platform, manages infrastructure providers, and enforces tenant isolation, access controls, and incident response.
  • Customers (firms and account admins) are responsible for choosing strong passwords, enabling MFA where available, managing their own users and roles, and the lawful basis for any data they upload.
  • Infrastructure providers (listed in our Subprocessors page) carry their own certifications for the layers they operate.

2. Technical controls in place today

Encryption in transit

In place

All traffic to GCPR is served over HTTPS with TLS 1.2 or higher. HSTS is enabled on the production domain.

Encryption at rest

In place

Application data, file uploads, and backups are stored in Postgres and object storage that are encrypted at rest by our infrastructure provider using AES-256.

Tenant isolation (Row-Level Security)

In place

Every multi-tenant table enforces Postgres Row-Level Security scoped by firm_id and auth.uid(). A firm admin cannot read another firm's invoices, clients, campaigns, files, or messages. We run an automated cross-firm isolation test suite (scripts/security-test-cross-firm.ts) against every release.

Role-based access control

In place

Five roles (admin, lead, hr_lead, member, assistant) plus a platform-owner override path. Permissions are centralized in src/lib/permissions.ts and enforced both in the UI and at the database layer via security-definer functions.

Authenticated server functions

In place

All privileged server endpoints require a Supabase bearer token and re-validate the caller. Public webhooks verify provider signatures (Stripe) before processing.

Secret management

In place

API keys and service-role credentials are stored as managed environment secrets, never committed to source. The service-role database key is server-only and never reaches the browser bundle (enforced by build-time import protection).

Audit logging

In place

Sensitive actions (billing changes, admin overrides, branding changes, contract events, invoice events) write to immutable audit tables (billing_audit_log, platform_audit_log, branding_audit_log, invoice_events, email_events).

Payment data scope

In place

Card data is collected and processed by Stripe (PCI DSS Level 1). GCPR never sees full card numbers, CVV, or authentication data.

Backups & point-in-time recovery

In place

Database backups and point-in-time recovery are provided by our managed Postgres host. RPO/RTO targets are inherited from that provider.

Data subject rights

In place

Account holders can export and delete their data through the settings area, or by emailing privacy@gcprhq.com. Customer admins can do the same for their portal clients.

3. Compliance status — honest

GDPR / UK GDPR / CCPA — operational compliance

In place

We publish a Privacy Policy, a Cookie Notice, and a Data Processing Addendum referencing the EU Standard Contractual Clauses and the UK IDTA. We honor data subject access, deletion, and portability requests.

PCI DSS — out of scope via Stripe

In place

We do not store, process, or transmit cardholder data. PCI obligations are met by Stripe (Level 1 service provider).

SOC 2 Type I

In progress

We are aligning policies and controls to the AICPA Trust Services Criteria (Security, Availability, Confidentiality). A Type I report requires an audit by a licensed CPA firm and is not complete. We do not claim SOC 2 today.

SOC 2 Type II

Not yet

Planned after Type I, requires a 6-12 month observation window. We do not claim SOC 2 Type II today.

ISO/IEC 27001

Not yet

Under evaluation. Requires a documented ISMS and audit by an accredited certification body. We do not claim ISO/IEC 27001 today.

HIPAA

Not yet

Our current architecture has many controls a HIPAA-compliant workload requires (encryption, RLS, audit logging, access control), but we have not executed Business Associate Agreements with all required subprocessors. Do not upload Protected Health Information (PHI) to GCPR. HIPAA-ready tiers with signed BAAs are on the Enterprise roadmap.

Third-party penetration test

Not yet

Annual third-party penetration test is on our roadmap. We currently rely on internal review, dependency scanning, and automated isolation tests.

If your procurement process requires a current SOC 2 report, ISO 27001 certificate, signed BAA, or completed CAIQ/SIG questionnaire, please contact us — we will tell you honestly whether we can meet the requirement today or not.

4. Incident response

We monitor application errors, authentication anomalies, and payment-webhook failures. On confirmation of a security incident affecting customer data, we will notify affected customers without undue delay (target: within 72 hours of confirmation) at the admin email on file, with the information they need to satisfy their own notification obligations under GDPR Art. 33-34 or applicable US state law. Our processor-side breach commitments are in the DPA.

5. Reporting a vulnerability

Security researchers and customers can report suspected vulnerabilities through our Responsible Disclosure page. We do not currently pay bounties but we acknowledge valid reports and credit researchers on request.

6. Contact

Security & compliance inquiries: security@gcprhq.com. Privacy requests: privacy@gcprhq.com. General: info@gcprhq.com.

© 2026 GCPR Communications LLC LLC. All rights reserved.