Security Architecture

Gateplex is built for deployment in regulated industries. Here is how we protect your data and our infrastructure.

Data Protection

Your data, encrypted and isolated

Data in Transit

All API traffic encrypted with TLS 1.3. HTTPS enforced across every endpoint. No plaintext communication permitted.

Data at Rest

Intercept data stored with AES-256 encryption. Row-level security policies enforce strict tenant isolation at the database layer. No cross-tenant data access is possible.

API Key Security

API keys are hashed with bcrypt before storage. Keys never appear in logs. Keys can be rotated or revoked instantly from the dashboard.

Data Residency

EU and US data residency available on Enterprise plans. Customer-chosen regions available on request. Data never leaves the configured region.

Compliance Posture

Built around regulatory requirements

SOC 2 Type II

Audit in progress. We follow SOC 2 controls today and can share our current security posture documentation on request under NDA.

GDPR

We act as a data processor for customer data. Data subject access request workflows supported. EU data residency available. DPA available on request.

EU AI Act

Gateplex maps to Article 12 tamper-evident logging and Article 14 human oversight requirements. Compliance exports formatted for regulatory review.

Infrastructure Security

Controls enforced at every layer

Tenant Isolation

Row-level security enforced at the database layer. Every query is scoped to the authenticated organisation. No shared data surfaces between tenants.

Tamper-Evident Audit Trail

Every intercept record stores a SHA-256 hash of its own content and the hash of the preceding record at insert time. Chain integrity verified at compliance report generation. Deletion or modification of any record breaks the chain.

Access Control

Dashboard access governed by role-based permissions. SSO via SAML and OIDC available on Enterprise plans. Okta, Azure AD, and Google Workspace supported.

Vulnerability Disclosure

Responsible disclosure program at security@gateplex.ai. 90-day disclosure policy. All valid reports acknowledged within 48 hours.

VPC and On-Premises Deployment

For organisations with strict data sovereignty requirements, Gateplex can be deployed entirely within your own cloud environment. Agent payloads, audit logs, and governance decisions never leave your perimeter. Policy synchronisation uses an encrypted outbound-only channel. Available on Enterprise plans. Contact us to discuss your deployment requirements.