Our Security Posture
As a security product, we hold ourselves to the highest standards. GhostWall is built by security professionals, for security professionals.
SOC 2 Type II (in progress)
ISO 27001 (planned)
GDPR Compliant
CCPA Compliant
Infrastructure Security
Our infrastructure is designed with defense-in-depth principles:
- Cloud Provider: AWS with multi-AZ deployment for high availability
- Network Isolation: Private VPCs, security groups, and network ACLs
- Encryption in Transit: TLS 1.3 for all API and dashboard traffic
- Encryption at Rest: AES-256 encryption for all stored data
- Key Management: AWS KMS with automatic key rotation
- DDoS Protection: AWS Shield and CloudFlare WAF
Application Security
We follow secure development practices throughout our SDLC:
- Code Review: All code undergoes peer review before deployment
- SAST/DAST: Automated security scanning in CI/CD pipeline
- Dependency Scanning: Regular audits of third-party libraries
- Penetration Testing: Quarterly external pentests by certified professionals
- Bug Bounty: Launching Q1 2025 via HackerOne
- Secure Defaults: Principle of least privilege across all systems
Access Controls
- Multi-Factor Authentication: Required for all employee accounts
- SSO Integration: SAML 2.0 and OAuth 2.0 support for enterprise customers
- Role-Based Access: Granular permissions with principle of least privilege
- Session Management: Automatic timeout, secure session tokens
- Audit Logging: Comprehensive logs of all access and changes
Data Protection
- Data Residency: Choose between US, EU, or UK data centers
- Data Isolation: Customer data logically separated with encryption keys per tenant
- Backup & Recovery: Automated daily backups with 90-day retention
- Data Deletion: Secure deletion within 30 days of account termination
- No Raw Packets: We never store complete packet payloads, only metadata and threat indicators
Incident Response
We maintain a formal incident response plan:
- 24/7 Monitoring: Security Operations Center with automated alerting
- Response Time: Critical incidents acknowledged within 1 hour
- Communication: Affected customers notified within 24 hours of confirmed breach
- Transparency: Public post-mortems for significant incidents (when appropriate)
- Forensics: Digital forensics capabilities for investigation and evidence preservation
Compliance & Certifications
Current and planned compliance frameworks:
- GDPR: โ Full compliance with EU data protection regulations
- CCPA: โ California Consumer Privacy Act compliance
- SOC 2 Type II: In progress (audit Q1 2025)
- ISO 27001: Planned for H2 2025
- HIPAA: Available for healthcare customers (Business Associate Agreement)
- FedRAMP: Considering for government customers
Third-Party Security
We carefully vet all vendors and service providers:
- Security questionnaires and risk assessments before onboarding
- Contractual data protection requirements (DPAs)
- Regular review of vendor security posture
- Minimal third-party dependencies (we build most things in-house)
Employee Security
- Background Checks: All employees undergo background screening
- Security Training: Mandatory annual security awareness training
- Endpoint Security: MDM, disk encryption, and EDR on all company devices
- NDAs: Confidentiality agreements for all team members and contractors
Responsible Disclosure
We welcome security researchers and have a coordinated disclosure program:
- Scope: All GhostWall services, APIs, and infrastructure
- Response Time: Initial acknowledgment within 72 hours
- Safe Harbor: Good-faith security research is authorized and won't result in legal action
- Recognition: Public acknowledgment (with permission) on our security page
- Rewards: Bug bounty program launching Q1 2025
Transparency
We believe in transparency and publish:
- Security Updates: Changelog of security patches and improvements
- Status Page: Real-time system status and incident history
- Threat Intelligence: Anonymized insights from our detection network (opt-in)
- Security Whitepaper: Technical deep-dive into our architecture (available on request)
Questions?
For security-related questions or to request our security documentation: