1. Our Security Commitment
At Gid Solutions, Inc. (operating as "Gid AI"), security is built into the platform from the foundation up. Restaurant teams trust us with employee data, operational information, and business intelligence; this page describes, honestly and concretely, the controls we have in place today.
We follow recognized security frameworks and rely on top-tier infrastructure providers (Google Cloud Platform, Firebase) that maintain SOC 2 Type II and ISO 27001 certifications. Where we are still building out a control to enterprise level, we say so plainly rather than overclaim.
2. Infrastructure Security
Cloud Infrastructure
Our platform is built on enterprise-grade cloud infrastructure from industry leaders:
โ๏ธ
Google Cloud Platform
Primary hosting and data processing with automatic scaling and global redundancy
๐ง
Amazon Web Services
Additional services and backup infrastructure for maximum reliability
๐ฅ
Firebase
Real-time database and authentication with enterprise-grade security
Network Security
- DDoS Protection: Advanced protection against distributed denial of service attacks
- Web Application Firewall: Filters malicious traffic before it reaches our servers
- Load Balancing: Distributes traffic across multiple servers for reliability
- CDN Protection: Content delivery network with built-in security features
3. Data Protection
๐ Encryption Everywhere
All data is encrypted both in transit and at rest using industry-standard AES-256 encryption. This means your information is protected whether it's being transmitted between systems or stored in our databases.
Data in Transit
- TLS 1.3 encryption for all web communications
- Certificate pinning to prevent man-in-the-middle attacks
- End-to-end encryption for sensitive data transmission
- Secure API endpoints with proper authentication
Data at Rest
- AES-256 encryption for all stored data
- Encrypted database storage with automatic key rotation
- Secure backup systems with encryption
- Hardware security modules (HSMs) for key management
4. Access Controls
Multi-Factor Authentication
We require multi-factor authentication (MFA) for all administrative access and offer it as an option for all users. This adds an extra layer of security beyond just passwords.
Role-Based Access Control
- Granular permissions based on user roles and responsibilities
- Principle of least privilege - users only access what they need
- Regular access reviews and automated deprovisioning
- Session management with automatic timeouts
Administrative Access
- All administrative access is logged and monitored
- Privileged access management (PAM) system
- Just-in-time access for maintenance operations
- Regular security training for all staff
5. Monitoring and Threat Detection
๐ก๏ธ Continuous platform monitoring
Our production environment is monitored continuously by Google Cloud Logging and Cloud Monitoring. Alerts route to an on-call rotation backed by automated paging. Enterprise customers receive severity-1 response within 4 hours, 24/7, via the Enterprise support channel (see SLA). We do not operate a dedicated 24/7 staffed Security Operations Center today.
Real-Time Monitoring
- Continuous logging of application requests and system events via Google Cloud Logging
- Alerting on anomalous error rates, latency, and authentication patterns
- Firebase App Check guards against API abuse and unauthorized clients
- Multi-tenant isolation enforced at the database layer (Firestore security rules) and asserted in CI
Incident Response
- Documented incident-response runbook: detect, triage, contain, eradicate, recover, post-mortem
- On-call rotation with automated paging for severity-1 production incidents
- Personal Data Breach notification to affected Customers within 72 hours (GDPR Art 33)
- Post-incident reports published within 14 days for severity-1 incidents lasting more than one hour
6. Security Certifications and Compliance
๐
SOC 2 Framework
Adherence to SOC 2 framework principles with regular security reviews
๐
ISO 27001 Framework
Alignment with international standards for information security management
โ
GDPR Compliant
Full compliance with European data protection regulations
Regular Audits
- Regular internal security assessments following SOC 2 framework principles. Our infrastructure providers (GCP, Firebase) maintain SOC 2 Type II certification
- Quarterly internal security assessments
- Regular penetration testing by security experts
- Continuous compliance monitoring and reporting
7. Application Security
Secure Development Practices
- Security-first development methodology
- Regular code reviews with security focus
- Automated security testing in our development pipeline
- Static and dynamic application security testing
Vulnerability Management
- Automated dependency vulnerability scanning on every commit (Dependabot, GitHub Advanced Security)
- Static application security testing in CI
- Penetration testing before major releases and on customer request, with findings tracked to closure
- Responsible disclosure program: report vulnerabilities to security@gidai.ca; we acknowledge within 5 business days and credit researchers who report responsibly. A formal bug bounty program is on our roadmap as we scale.
8. Business Continuity and Disaster Recovery
๐ Uptime targets and service credits
Our uptime targets are 99.5% for Pro/SMB plans and 99.9% for Enterprise plans, with service credits if we miss the target. The full definitions, exclusions, and claim procedure are in our Service Level Agreement. We do not make uptime commitments for Free or Trial plans.
Backup and Recovery
- Firestore point-in-time recovery within the supported retention window (managed by Google Cloud)
- Daily encrypted backups retained for at least seven days
- Multi-region replication across Google Cloud zones for availability
- Recovery procedures documented in operational runbooks and exercised as part of major releases
High Availability
- Deployment on Google Cloud Run with automatic scaling and regional redundancy
- Load balancing managed by Google Cloud Load Balancer
- Real-time error monitoring and alerting via Cloud Logging
- Status updates on incidents posted directly to affected Customers (status page in development)
9. Employee Security
Confidentiality & access
Personnel with access to Customer data sign confidentiality obligations as a condition of access. Background checks are applied to security-sensitive roles and will be extended as the team grows. We say this directly rather than overclaim "comprehensive background checks for all employees" — we are honest about where we are in our build-out.
Security Training
- Security awareness onboarding for all personnel with production access
- Phishing-pattern review during onboarding
- Specialized review for security-sensitive roles, expanded as the team grows
- Periodic policy reviews aligned with product changes
10. Customer Security Best Practices
Account Security
- Use strong, unique passwords for your Gid AI account
- Enable multi-factor authentication when available
- Regularly review user access and permissions
- Report any suspicious activity immediately
Data Management
- Limit access to sensitive information on a need-to-know basis
- Regularly review and clean up user accounts
- Keep your integration systems up to date
- Follow your organization's data retention policies
11. Incident Reporting
If you discover a security vulnerability or experience a security incident related to our service, please contact us through the information provided in our footer.
What to Include
- Description of the security issue or incident
- Steps to reproduce the vulnerability (if applicable)
- Your contact information
- Any evidence or screenshots (if safe to share)
12. Transparency and Communication
We believe in transparent communication about security:
- We will notify customers of any security incidents that may affect their data
- We publish regular security updates and best practices
- We maintain an up-to-date security documentation
- We participate in industry security forums and initiatives