How we protect your data

Last updated 20 June 2026

Gideon is a security product, so the way we handle your data is part of the product. The short version: we take the least we can, only the read-only logs you choose to send, use them solely to produce your report, and delete them quickly. We never connect to your environment.

Read-only by design

No agent, no access. Gideon installs nothing in your account and holds no role or credentials there. It works only on the CloudTrail export you send us.
Data minimisation. CloudTrail records which API calls happened — not your files, database contents, or secrets. That is all we ask for.

Data handling

Encryption. Data is encrypted in transit (TLS) and at rest.
Short retention. Uploaded logs are used only to generate your report and are deleted within 7 days.
No selling, no sharing. We never sell your data and never share it, except with the sub-processors needed to run the service.
Access control. Access to uploads is limited; administrative endpoints are authentication-gated.

Application & infrastructure

Hardened web layer. A strict Content-Security-Policy and standard security headers (HSTS, no-sniff, clickjacking protection) are enforced across the site.
No third-party trackers. The site runs no analytics or advertising scripts and sets no tracking cookies (see Cookies).
Resilient hosting. The site and storage run on Cloudflare’s global infrastructure.
Analysis integrity. The triage pipeline is hardened against attempts to manipulate it through crafted content in the logs themselves.

Sub-processors

We rely on Cloudflare (hosting & storage), Anthropic (AI analysis), and Paddle (payments). Details and locations are in our Data Processing Agreement and Privacy Policy.

Responsible disclosure

Found a security issue? We appreciate the help. Please email audit@gideonhq.io with details and steps to reproduce, and give us reasonable time to remediate before any public disclosure. Please don’t access or modify data that isn’t yours while testing.

Honest scope

We’re a young company and don’t yet hold formal certifications such as SOC 2. We’d rather tell you exactly what we do than imply more. Have a specific security or compliance question before you send anything? Ask us.

← Back to gideonhq.io