Trust Center

Security & Compliance at Acclivity Labs

Acclivity Labs and our sister brand Acclivity Digital Marketing operate under a documented security and compliance program. This page is the public window into that program — what we do, what we promise, and how we prove it.

SOC 2-aligned · all 25 Common Criteria controls implemented · audit attestation in progress

What "SOC 2-aligned" means here

We have implemented and continuously evidence the same controls a SOC 2 audit would test. We have not yet engaged an external CPA to issue an attestation report — that engagement runs on customer demand.

If your procurement requires a signed SOC 2 Type 1 / Type 2 report, we engage an auditor on request and deliver in 30–90 days. Email [email protected] to start that conversation.

Live Posture updated continuously

100%
CC controls implemented
25 / 25
33+
Evidence items collected
automated daily harvest
16
Documented policies
all reviewed annually
0
Critical open gaps
in risk register
72%
CVE backlog reduction
last sweep: 108 → 30
200+
Containers monitored
acclivity-watchdog, 15-min cadence

What We Protect commitments

CommitmentHow
ConfidentialityCustomer data isolated by tenant; sops-encrypted secrets; admin services bound to loopback; TLS 1.2+ on all public traffic via Cloudflare
IntegrityAppend-only audit logs (7-year retention for compliance events); DB constraints; signed deploy artifacts; pre-commit secret scanning
AvailabilityMulti-machine HA fabric (gns1 ↔ gns2 over 200 Gb private link); validated through 2026-05-05 physical relocation; daily backup; quarterly DR drill
Processing IntegrityCustomer-approved templates only; no AI "slop" (fabricated quotes, ragebait, fake stats); campaign content reviewed at launch

Policies 16 documents

Full policies available under NDA on request. Summaries below.

Information Security Policy
Master policy · annual review · CEO-approved
CC1.1
Access Control Policy
RBAC · MFA · key-only SSH · quarterly access review
CC6.1-3
Cryptography Policy
TLS 1.2+, sops vault, ed25519, bcrypt cost 12+
CC6.7
Incident Response Plan
Severities · escalation · evidence preservation
CC7.4
Business Continuity Plan
RTO 4h · RPO 24h · HA fabric validated
CC9.1
Change Management
Pre-commit · image-tag pinning · pre-cve-patch backups
CC8.1
Vendor Risk Management
Annual review · subprocessor inventory
CC9.2
Data Protection Policy
Customer data rights · retention · subprocessors
C1.1
Logging & Monitoring Policy
Loki + Prometheus + Grafana · 7-year SOC2 audit log
CC2.1, CC7.x
Code of Conduct & Ethics
Annual signed acknowledgment · no-AI-slop standing rule
CC1.1
Acceptable Use Policy
All personnel · contractors · partners
all
Risk Management Policy
Quarterly review · risk register tracked
CC3.x
Secure SDLC Policy
Pre-commit secret scanning · CVE feeds · review gate
CC8.1, CC5.2
System Description
Auditor entry document · components · boundaries · scope
all
Data Flow Map
Inputs · stores · processing · outputs · subprocessors
CC2.x, C1.1
Risk Register
16 risks scored Likelihood × Impact · monthly/quarterly review
CC3.x

Trust Services Criteria — Coverage SOC 2

All 25 Common Criteria controls have documented implementation, evidence collection, and a designated owner. Six controls are operating with continuous evidence. The remainder are implemented with periodic review cadence.

CC1.1
Integrity & Ethical Values
CC1.2
Board Oversight
CC1.3
Management Structure
CC2.1
Information & Communication ✓
CC2.2
Internal Communication
CC3.1
Risk Objectives
CC3.2
Risk Analysis
CC3.3
Fraud Risk Assessment
CC5.1
Control Activities
CC5.2
Technology Controls ✓
CC5.3
Policies and Procedures
CC6.1
Logical Access Security ✓
CC6.2
User Registration
CC6.3
Role-Based Access
CC6.6
External Threat Protection ✓
CC6.7
Data Transmission Security
CC6.8
Malware Controls
CC7.1
Vulnerability Detection ✓
CC7.2
Anomaly Monitoring ✓
CC7.3
Security Event Evaluation
CC7.4
Incident Response
CC7.5
Incident Recovery
CC8.1
Change Management
CC9.1
Business Continuity
CC9.2
Vendor Risk Management

Cells with green border = control is operating with continuous evidence. Plain cells = control is implemented with periodic review.

Subprocessors 5

SubprocessorPurposeDataRegion
Microsoft (M365 + Graph API)Email send/receive, calendarCustomer email content if cc'dUS
CloudflareDNS, WAF, tunnel ingressPublic-facing traffic metadataGlobal edge / origin US
Anthropic (opt-in only)LLM inferenceOnly when customer explicitly enablesUS
HubSpotCRM (Acclivity-side ops)Acclivity prospect dataUS
AWSStorage backstopEncryptedUS
Default deployment uses local LLM (gemma4:e4b on GB10). No customer data leaves the Acclivity Labs perimeter unless the customer explicitly opts into Anthropic. Critical for healthcare, finance, and government workloads.

Operational Hardening recent

Scope & Customer Responsibilities

In Scope (Acclivity Labs Responsibility)Out of Scope (Customer Responsibility)
GNS-operated containers, agents, databases, and infrastructure on gns1 + gns2Customer-owned platforms (LinkedIn, Customer CRM)
Cloudflare tunnel (DNS, WAF, ingress)Customer-owned email tenants (we use ours)
Public-facing *.gnstech.io and customer-bound servicesSubprocessor controls (relying on their published SOC reports)
Complementary User Entity Controls. Customers must (a) maintain confidentiality of any portal credentials issued by Acclivity Labs, (b) promptly notify Acclivity Labs of personnel changes that affect access, and (c) use only approved channels for sharing credentials.

How to Engage With Us

If you're evaluating Acclivity Labs as a vendor and have security/compliance questions:

Email Dan directly Submit a discovery intake

Sensitive appendices (full System Description, full policy library, evidence excerpts, risk register, audit logs) are made available under a Mutual NDA. Ask for the NDA template in your first email.

Customer Story case study

VRC Insurance · Live in production
Migrating off Base44 onto a GNS-owned, AI-augmented platform
Three role-gated portals · 41-table schema · 6-agent AI suite · survived a physical hardware move with zero customer impact →