How we protect customer data.

Honest specifics about the controls we have in place, the boundaries we own, and the certifications we have not claimed. If we say we do something, we do it. If we are not yet certified for something, we say so.

Security posture at a glance

Transport & authentication

  • TLS 1.2 or higher across all public surfaces
  • HSTS with preload (browser-enforced HTTPS)
  • Signed JWT authentication with rotating shared secret
  • Argon2id password hashing where supported; bcrypt otherwise
  • Short-lived access tokens; longer-lived refresh tokens; both revocable
  • Optional SSO (SAML and OIDC) via library-backed implementation

Data & storage

  • Production data hosted in the United States
  • Encrypted at rest in supported managed databases
  • Per-product database boundaries (no shared production schemas)
  • Fortilis uses zero-knowledge client-side encryption
  • Secrets stored separately from application configuration
  • Backups managed by the underlying hosting providers

Operations & access

  • Principle of least privilege for production access
  • Admin panel sits behind dedicated authentication and RBAC
  • Code review and continuity-doc updates required on shipped changes
  • Documented incident response and rollback playbooks
  • No shared production credentials; per-engineer access where needed

What we do not claim

  • We are not currently SOC 2 certified
  • We are not currently ISO 27001 certified
  • We do not claim HIPAA covered-entity readiness
  • We do not display compliance badges we have not earned
  • If formal certification is on our roadmap, this page updates when it changes

How authentication works across GDK Digital products

GDK Digital uses a single universal login at gdkdigital.com/login.html. A successful login issues a JSON Web Token signed with a shared platform secret. Each product backend verifies the signature with the same secret. Specifically:

  1. A user signs in with email and password (or via SSO if their organization has it configured).
  2. The platform issues a short-lived access token and a longer-lived refresh token, both signed with the platform secret.
  3. The user's browser stores the tokens in localStorage and presents the access token as a Bearer credential on API calls.
  4. Each product's backend verifies the signature locally; no per-product database lookup is required to confirm identity.
  5. When the access token expires, the refresh token mints a new one without forcing a re-login. Both tokens can be revoked.

The trust bridge between products is the signed JWT, not a shared database connection. Rotating the platform secret invalidates every token in the system, which we treat as a coordinated event.

Product-specific security notes

Fortilis

Vault contents are encrypted client-side before they touch the network. The server stores encrypted blobs and never sees plaintext. Decryption happens only on devices you control.

GDK-CRM

Tenant-isolated data model with row-level security policies at the database layer. Each tenant's data is unreachable from other tenants' queries.

GDK Nexus

QR redirect payloads with sensitive content use client-side AES-GCM encryption with the decryption key carried in the URL fragment (never sent to the server).

How to report a security concern

If you believe you have found a security vulnerability in any GDK Digital product, please email security@gdkdigital.com.

What to include

  • A description of the issue
  • Steps to reproduce
  • Any proof-of-concept material
  • Your preferred contact method for follow-up

What you can expect

  • Acknowledgement of the report within two business days
  • A status update within seven business days
  • Good-faith communication through resolution
  • Credit in any public disclosure if you want it; anonymity if you do not

We do not pursue legal action against good-faith security researchers who follow responsible disclosure: do not access data that does not belong to you, do not impact service availability, and give us reasonable time to fix the issue before public disclosure.

Frequently asked questions

How does GDK Digital protect customer data?

Transport security uses TLS 1.2 or higher across all public surfaces. Authentication uses signed JSON Web Tokens (JWT) with rotating secrets and short access-token lifetimes. Passwords are hashed with Argon2id where supported and bcrypt otherwise. Fortilis specifically uses zero-knowledge client-side encryption so the server never sees plaintext credentials.

Is GDK Digital SOC 2 certified?

No. We do not currently claim SOC 2 certification. We do not display badges or seals we have not earned. If formal certification is on our roadmap, we will update this page when it changes.

How does authentication work across GDK Digital products?

A single universal login at gdkdigital.com/login.html issues a JWT signed with a shared platform secret. Each product backend verifies the signature with the same secret. The trust bridge between products is the signed JWT, not a shared database connection.

How do I report a security vulnerability?

Email security@gdkdigital.com with a description of the issue, reproduction steps, and any proof-of-concept material. We acknowledge reports within two business days. We do not pursue legal action against good-faith researchers who follow responsible disclosure.

Where is customer data stored?

Platform identity data (users, organizations, subscriptions) is stored in a MySQL database hosted with Hostinger in the United States. Product data is stored per product, typically in Supabase PostgreSQL (also U.S.-hosted) or in a per-product MySQL database. Fortilis vault contents are encrypted client-side; the server stores only encrypted blobs.

Do you train AI on customer data?

No. Custom AI agents and Claude Skills we build for clients are scoped to that client's use case. We do not reuse client data, prompts, or knowledge bases across other client builds, and we do not feed customer data into general-purpose model training.

Questions about our security posture?

For general questions, use the contact form. For security disclosure, email security@gdkdigital.com.

Contact us Report a vulnerability

Last updated: 2026-05-28