At Geocoupler, security is a foundational principle, not an afterthought. We are committed to protecting the confidentiality, integrity, and availability of the data you entrust to us. This Security Policy outlines the technical and organizational measures we implement to safeguard your information.

Our security program is built around industry-recognized frameworks and undergoes continuous improvement. We employ dedicated security personnel and conduct regular internal and third-party assessments to ensure our controls remain effective against evolving threats.

Geocoupler operates on enterprise-grade cloud infrastructure with multiple layers of physical and logical security controls. Our production environments are hosted in data centers certified to ISO 27001, SOC 2 Type 2, and PCI DSS standards.

We use virtual private cloud (VPC) architectures with network segmentation to isolate production systems from development and staging environments. All inbound and outbound traffic is monitored and filtered through enterprise-grade firewalls and intrusion detection systems.

We maintain geographically distributed infrastructure to ensure high availability and disaster recovery capabilities. Our systems are designed with redundancy at every layer to minimize single points of failure.

All data transmitted to and from the Geocoupler platform is encrypted in transit using TLS 1.2 or higher. We enforce HTTPS across all endpoints and do not support legacy SSL or early TLS versions.

Data at rest is encrypted using AES-256 encryption. This includes all customer data stored in our databases, file storage systems, and backups. Encryption keys are managed through a dedicated key management service and rotated on a defined schedule.

Database backups are encrypted using the same standards as production data and are stored in isolated, access-controlled environments separate from primary data stores.

Access to Geocoupler production systems is governed by the principle of least privilege. All internal access is role-based, regularly reviewed, and requires multi-factor authentication (MFA). Access rights are revoked immediately upon role changes or employee offboarding.

Customer accounts support role-based access control (RBAC), allowing administrators to grant granular permissions to team members. We recommend enabling MFA for all user accounts in your organization.

We maintain comprehensive audit logs of all access to customer data and system resources. These logs are tamper-evident, retained for a minimum of 12 months, and reviewed regularly for anomalous activity.

We conduct regular automated and manual security assessments of our platform, including static code analysis, dynamic application security testing (DAST), and dependency scanning as part of our CI/CD pipeline.

Geocoupler engages independent third-party security firms to perform annual penetration tests of our infrastructure and applications. Findings are triaged, prioritized, and remediated according to their severity.

We operate a responsible disclosure program and welcome security researchers who identify and report potential vulnerabilities in our platform. Reports can be submitted to support@geocoupler.com with the subject line "Security Disclosure".

Geocoupler maintains a formal incident response plan that defines procedures for detecting, containing, eradicating, and recovering from security incidents. Our security team is on-call 24/7 to respond to alerts.

In the event of a security incident that affects your data, we will notify affected customers within 72 hours of becoming aware of the breach, in accordance with applicable data protection regulations, including GDPR and applicable U.S. state laws.

Post-incident, we conduct thorough root cause analyses and implement remediation measures to prevent recurrence. Incident reports are made available to affected customers upon request.

Geocoupler maintains SOC 2 Type 2 compliance, which is audited annually by an independent third-party auditor. Our SOC 2 report covers the Security, Availability, and Confidentiality trust service criteria. Customers on eligible plans may request a copy of our SOC 2 report under NDA.

Our platform and practices are designed to support customer compliance with GDPR, CCPA, HIPAA (where applicable), and other regional data protection regulations. We provide Data Processing Agreements (DPAs) for customers who require them.

We are committed to maintaining and expanding our compliance certifications as our platform and customer base evolve.

All Geocoupler employees undergo background checks prior to employment. Employees with access to production systems or customer data receive mandatory security awareness training at onboarding and annually thereafter.

We maintain clear internal security policies covering acceptable use, data handling, incident reporting, and secure development practices. Employees are required to acknowledge and adhere to these policies.

Access to customer data by Geocoupler employees is strictly need-to-know and requires approval. All such access is logged and subject to audit.

If you have any questions about our security practices or wish to report a security concern, please contact us at support@geocoupler.com