Trust Center
Security & Compliance at Acclivity Labs
Acclivity Labs and our sister brand Acclivity Digital Marketing operate under a documented security and compliance program. This page is the public window into that program — what we do, what we promise, and how we prove it.
● SOC 2-aligned · all 25 Common Criteria controls implemented · audit attestation in progress
What "SOC 2-aligned" means here
We have implemented and continuously evidence the same controls a SOC 2 audit would test. We have not yet engaged an external CPA to issue an attestation report — that engagement runs on customer demand.
If your procurement requires a signed SOC 2 Type 1 / Type 2 report, we engage an auditor on request and deliver in 30–90 days. Email [email protected] to start that conversation.
Live Posture updated continuously
100%
CC controls implemented
25 / 25
33+
Evidence items collected
automated daily harvest
16
Documented policies
all reviewed annually
0
Critical open gaps
in risk register
72%
CVE backlog reduction
last sweep: 108 → 30
200+
Containers monitored
acclivity-watchdog, 15-min cadence
What We Protect commitments
| Commitment | How |
| Confidentiality | Customer data isolated by tenant; sops-encrypted secrets; admin services bound to loopback; TLS 1.2+ on all public traffic via Cloudflare |
| Integrity | Append-only audit logs (7-year retention for compliance events); DB constraints; signed deploy artifacts; pre-commit secret scanning |
| Availability | Multi-machine HA fabric (gns1 ↔ gns2 over 200 Gb private link); validated through 2026-05-05 physical relocation; daily backup; quarterly DR drill |
| Processing Integrity | Customer-approved templates only; no AI "slop" (fabricated quotes, ragebait, fake stats); campaign content reviewed at launch |
Policies 16 documents
Full policies available under NDA on request. Summaries below.
Information Security Policy
Master policy · annual review · CEO-approved
CC1.1
Access Control Policy
RBAC · MFA · key-only SSH · quarterly access review
CC6.1-3
Cryptography Policy
TLS 1.2+, sops vault, ed25519, bcrypt cost 12+
CC6.7
Incident Response Plan
Severities · escalation · evidence preservation
CC7.4
Business Continuity Plan
RTO 4h · RPO 24h · HA fabric validated
CC9.1
Change Management
Pre-commit · image-tag pinning · pre-cve-patch backups
CC8.1
Vendor Risk Management
Annual review · subprocessor inventory
CC9.2
Data Protection Policy
Customer data rights · retention · subprocessors
C1.1
Logging & Monitoring Policy
Loki + Prometheus + Grafana · 7-year SOC2 audit log
CC2.1, CC7.x
Code of Conduct & Ethics
Annual signed acknowledgment · no-AI-slop standing rule
CC1.1
Acceptable Use Policy
All personnel · contractors · partners
all
Risk Management Policy
Quarterly review · risk register tracked
CC3.x
Secure SDLC Policy
Pre-commit secret scanning · CVE feeds · review gate
CC8.1, CC5.2
System Description
Auditor entry document · components · boundaries · scope
all
Data Flow Map
Inputs · stores · processing · outputs · subprocessors
CC2.x, C1.1
Risk Register
16 risks scored Likelihood × Impact · monthly/quarterly review
CC3.x
Trust Services Criteria — Coverage SOC 2
All 25 Common Criteria controls have documented implementation, evidence collection, and a designated owner. Six controls are operating with continuous evidence. The remainder are implemented with periodic review cadence.
CC1.1Integrity & Ethical Values
CC1.3Management Structure
CC2.1Information & Communication ✓
CC2.2Internal Communication
CC3.3Fraud Risk Assessment
CC5.2Technology Controls ✓
CC5.3Policies and Procedures
CC6.1Logical Access Security ✓
CC6.6External Threat Protection ✓
CC6.7Data Transmission Security
CC7.1Vulnerability Detection ✓
CC7.2Anomaly Monitoring ✓
CC7.3Security Event Evaluation
CC9.2Vendor Risk Management
Cells with green border = control is operating with continuous evidence. Plain cells = control is implemented with periodic review.
Subprocessors 5
| Subprocessor | Purpose | Data | Region |
| Microsoft (M365 + Graph API) | Email send/receive, calendar | Customer email content if cc'd | US |
| Cloudflare | DNS, WAF, tunnel ingress | Public-facing traffic metadata | Global edge / origin US |
| Anthropic (opt-in only) | LLM inference | Only when customer explicitly enables | US |
| HubSpot | CRM (Acclivity-side ops) | Acclivity prospect data | US |
| AWS | Storage backstop | Encrypted | US |
Default deployment uses local LLM (gemma4:e4b on GB10). No customer data leaves the Acclivity Labs perimeter unless the customer explicitly opts into Anthropic. Critical for healthcare, finance, and government workloads.
Operational Hardening recent
- 2026-05-07 ✓ 100% of CC controls implemented + continuously evidenced
- 2026-05-05 ✓ Multi-machine HA validated through physical relocation; zero customer-visible downtime
- 2026-05-01 ✓ 78 CVEs patched (108 → 30, 72% reduction); 12 admin services bound to loopback; sops vault deployed; 4 baseline policy docs published
- 2026-04-30 ✓ Cloudflare wildcard rules hardened; gns-soc + gns-pentester live with daily timers
- Continuous CVE / KEV / EPSS / OSV intelligence feeds via gns-security-agent; risk-scored against the running stack
Scope & Customer Responsibilities
| In Scope (Acclivity Labs Responsibility) | Out of Scope (Customer Responsibility) |
| GNS-operated containers, agents, databases, and infrastructure on gns1 + gns2 | Customer-owned platforms (LinkedIn, Customer CRM) |
| Cloudflare tunnel (DNS, WAF, ingress) | Customer-owned email tenants (we use ours) |
| Public-facing *.gnstech.io and customer-bound services | Subprocessor controls (relying on their published SOC reports) |
Complementary User Entity Controls. Customers must (a) maintain confidentiality of any portal credentials issued by Acclivity Labs, (b) promptly notify Acclivity Labs of personnel changes that affect access, and (c) use only approved channels for sharing credentials.
How to Engage With Us
If you're evaluating Acclivity Labs as a vendor and have security/compliance questions:
Email Dan directly
Submit a discovery intake
Sensitive appendices (full System Description, full policy library, evidence excerpts, risk register, audit logs) are made available under a Mutual NDA. Ask for the NDA template in your first email.