Security at Gavel

In transit

All data between clients and our servers is encrypted using TLS 1.3. We enforce HSTS and reject older protocol versions.

At rest

Databases, file storage, and backups are encrypted with AES-256. Encryption keys are rotated quarterly and stored in a separate key management service.

Secrets management

API keys, credentials, and service tokens are stored in a dedicated secrets vault — never in environment variables or code repositories.

Compliance posture

Our architecture is designed to support industry-standard compliance requirements. Our controls are designed to be independently verifiable — consult your compliance team for current certification status.

Network segmentation

Production systems are isolated in private VPCs. No direct public internet access to databases or internal services.

DDoS protection

All endpoints sit behind enterprise-grade DDoS mitigation with automatic traffic scrubbing and rate limiting.

Dependency scanning

All dependencies are automatically scanned for CVEs on every commit. Critical vulnerabilities trigger immediate patching with SLA < 24 hours.

Code review

Every change requires peer review. Security-sensitive paths (auth, billing, data export) require a second review from the security team.

Penetration testing

Our application is designed for regular third-party security assessment. Consult your security team to establish a penetration testing programme aligned with your risk profile.