Trust & Security

Your institutional knowledge is your competitive advantage. Here's exactly how we protect it.

🔒

Encrypted at Rest & In Transit

AES-256-GCM · TLS 1.2+

🛡

Security Headers Enforced

HSTS · CSP · X-Frame-Options · Rate Limiting

🤖

AI Data Never Trains Models

Your data stays yours — zero model training

Encryption

At Rest

All sensitive data, including OAuth tokens and integration credentials, is encrypted using AES-256-GCM authenticated encryption. This provides both confidentiality and integrity verification in a single pass, meeting enterprise and SOC 2 requirements for 256-bit encryption. Encryption keys are derived separately from application data and are never stored in source code.

In Transit

All connections to Gheist.io are encrypted with TLS 1.2 or higher. We enforce HTTPS via HTTP Strict Transport Security (HSTS) headers with a one-year max-age policy, preventing protocol downgrade attacks.

Infrastructure & Hosting

Gheist.io is hosted on Railway, a managed cloud platform that provides isolated containers, automated deployments, and built-in DDoS protection. Our infrastructure includes:

  • Containerized application deployment with isolated runtime environments
  • Managed PostgreSQL database with automated backups
  • Zero-downtime deployments via rolling updates
  • Application-level rate limiting to prevent abuse

Access Controls

Gheist.io enforces strict access boundaries:

  • Organization isolation: All data is scoped to your organization. There is no cross-tenant data access.
  • Role-based access (RBAC): Admins can control who has access to what knowledge within the platform.
  • JWT authentication: Secure, token-based authentication with configurable session expiry.
  • CORS protection: Cross-origin requests are restricted to configured, authorized domains only.

AI Transparency

Gheist.io uses Anthropic's Claude as its AI processing engine. Here is exactly how your data flows through the AI system:

What happens

  • When you query the AI assistant or trigger knowledge analysis, relevant data from your knowledge base is sent to Anthropic's API
  • Claude processes the request and returns insights, summaries, or answers
  • Results are stored within your organization's workspace

What doesn't happen

  • Your data is never used to train, fine-tune, or improve AI models
  • Anthropic does not retain your data beyond generating a response
  • No data is shared with any other customer or third party

Compliance Posture

● SOC 2 Type II — In Progress ● HTTPS / TLS Enforced ● HSTS Enabled ● CSP Enforced

SOC 2 Type II: We are actively pursuing SOC 2 Type II certification. Our current security controls — encryption, access controls, logging, and incident response — are designed to align with SOC 2 Trust Service Criteria. We expect to complete our audit in 2026 and will update this page with our certification status.

GDPR Readiness: Gheist.io is designed with data privacy principles at its core. We support data subject rights (access, deletion, portability), maintain data processing transparency, and minimize data collection.

Data Processing Agreement (DPA): A DPA incorporating the European Commission's Standard Contractual Clauses (SCCs) is available for all customers. Enterprise customers receive a DPA as part of onboarding. For all other plans, request a DPA at legal@gheist.io and we will provide one within 2 business days.

Business Continuity & Disaster Recovery

Gheist.io maintains the following recovery targets:

  • RPO (Recovery Point Objective): 24 hours. Database backups are performed daily with point-in-time recovery capability.
  • RTO (Recovery Time Objective): 4 hours. In the event of a full service disruption, we target restoration within 4 hours.
  • Backup strategy: Automated daily PostgreSQL backups with encrypted storage. Backup integrity is verified regularly.
  • Uptime target: 99.9% monthly availability for core platform services. Service credits are available under our Terms of Service SLA.

Data Portability & Deletion

Your data is never locked in. Gheist.io supports:

  • Full data export: Export your entire knowledge base in standard formats (JSON, CSV) at any time.
  • Account deletion: Request complete data deletion. We remove all Customer Data within 30 days of request.
  • Post-termination export: After account termination, your data remains available for export for 30 days before permanent deletion.
  • No vendor lock-in: Your knowledge remains in formats you can use elsewhere.

Accessibility

Gheist.io is committed to making our platform accessible. We are working toward WCAG 2.1 AA conformance and continuously improve the accessibility of our interface. If you encounter accessibility barriers, please contact support@gheist.io and we will work to address them promptly.

Security Reporting

If you discover a security vulnerability, please report it responsibly to security@gheist.io. We take all reports seriously and will respond within 48 hours. We do not pursue legal action against good-faith security researchers.