Security & Data Management



Security & Data Management



Security & Data Management

Gattaca Tech Security and Data Management Policy

Effective Date: May 5, 2024


1. Purpose 

The purpose of this policy is to ensure that Gattaca Tech data and information systems are properly classified, protected, retained and securely disposed of based on their sensitivity and importance to the company. It is the responsibility of every team member to uphold these principles and practices in their daily work. We are committed to protecting the confidentiality, integrity, and availability of our data and systems, and to maintaining the trust of our users and customers.


2. Scope

This policy applies to all employees, contractors, partners, and anyone else granted access to our systems and data. It covers all information, systems and devices that are owned or leased by Gattaca Tech Inc.

3. Security Principles

- Security is the responsibility of every team member. We must treat security as our top priority daily, not just during onboarding or when releasing a new product.

- We take ownership of security, looking out for risks, reminding each other, setting an example, and responding swiftly to issues.

- We take every security complaint seriously whether from users, bug reports, or other channels.

- Security policies apply equally to all employees. No exceptions.


4. Data Classification

4.1 Data and information systems are classified into three categories: 

- Confidential: Highly sensitive data requiring the highest level of protection. Includes customer PII, financial data, authentication credentials, source code, etc. Access restricted to authorized personnel only.

- Internal Use: Proprietary company information requiring protection. Includes policies, contracts, internal communications. Access based on business need-to-know. 

- Public: Information intended for public release, such as marketing materials and product documentation. No special protection required.

4.2 Data owners are responsible for classifying their data and specifying any additional handling requirements.


4.3 Information systems are classified according to the highest level of data they store or process.


5. Data Handling


5.1 Gattaca Tech utilizes AWS and GCP for dat a storage and processing. All data is encrypted at rest and in transit. Encryption keys are managed solely by the CTO, with regular key rotation practices in place. No vendors or contractors have access to systems containing confidential or customer data. 


5.2 Access to sensitive systems and data is strictly controlled through specific user roles. Even the CEO does not have full access to all sensitive information. The CTO is the only individual with the highest level of access.


5.3 All new hires undergo mandatory security onboarding and training. Two-factor authentication is required for all employees across all systems.


5.4 In the event of a security incident, Gattaca Tech has a standard procedure for alerts, handling, and retrospective analysis. To date, there have been zero incidents, breaches, or vulnerabilities.


5.5 Confidential data must be encrypted at rest and in transit, and access is restricted to authorized personnel. It cannot be stored on personal devices or removable media. Paper records must be clearly labeled and securely stored and disposed of. Transfer to external parties requires management approval and contracts.


5.6 Internal Use data access is based on business need. It cannot be transferred externally without approval. Paper records and devices must be securely stored and wiped/destroyed before disposal.


5.7 No special handling is required for Public data.


6. Data Privacy 

- We treat user data with the utmost respect and confidentiality.

- User data must never be shared in team channels or externally.

- We do not and will not do ads. We will not use user data for anything other than serving our users. 

- We must respect and follow the access roles granted to us for each system.

- We do not share user data with any external entity or vendor unless explicitly approved by founders and critically needed for a business function.

7. Monitoring and Awareness

- We closely monitor security reports and complaints from all sources including users, social media, bug bounties, internal investigations and polish sprints. All issues are acted upon and taken seriously.

- Security training is mandatory for new teammates. Since security is P0 and we own it end to end, we continually cover best practices and reminders (ex. enable 2FA) through written policies, examples, all-hands meetings, and team huddles.

- We maintain strong security awareness by over-communicating policies, speaking up about issues, and reinforcing secure practices.


8. Physical Security

- All physical assets including laptops, mobile devices, access cards, and documents must be protected from unauthorized access or theft at all times. Report any misplaced assets to founders@gattacatech.com or message us in slack. It is important that as with all security matters - we over-communicate on these things clearly and fast.

- Workstations must be locked when unattended.


9. Secure Development

- Our services are designed and developed using secure methodologies. We have experience building services and applications that were used by tens of millions of users. We use proven services (ex. Firebase), think about risks ahead of time (pre-mortem), do extensive QA on a # of different setups where our goal and more. 

- We have separate development and product environments. All code that goes to production has been tested and iterated on. For all code that goes to production we do full QA runs and PR reviews.

- Source code is managed securely following best practices. 


10. Data Retention and Disposal

10.1 Data will only be retained while there is a valid business, regulatory or contractual requirement. Data owners will set retention periods, with personal data deleted as soon as no longer needed.

10.2 Confidential and Internal Use data must be securely deleted when no longer required. Paper records will be shredded. Devices will be securely wiped prior to disposal or reuse.

10.3 Third-party vendors storing or processing company data must have adequate data disposal practices.

10.4 Data subject to legal holds is retained as required by the Legal department.


11. Compliance 


Compliance with this policy will be verified through various methods, including audits and business tool reports.


12. Exceptions

Exceptions to this policy must be approved our Chief Technology Officer.


13. Violations

Violations should be reported to the Chief Technology Officer.. Violations may result in disciplinary action up to and including termination of employment.


14. Review 

This policy will be reviewed bi-annually and updated as needed.

Gattaca Tech Security and Data Management Policy

Effective Date: May 5, 2024


1. Purpose 

The purpose of this policy is to ensure that Gattaca Tech data and information systems are properly classified, protected, retained and securely disposed of based on their sensitivity and importance to the company. It is the responsibility of every team member to uphold these principles and practices in their daily work. We are committed to protecting the confidentiality, integrity, and availability of our data and systems, and to maintaining the trust of our users and customers.


2. Scope

This policy applies to all employees, contractors, partners, and anyone else granted access to our systems and data. It covers all information, systems and devices that are owned or leased by Gattaca Tech Inc.

3. Security Principles

- Security is the responsibility of every team member. We must treat security as our top priority daily, not just during onboarding or when releasing a new product.

- We take ownership of security, looking out for risks, reminding each other, setting an example, and responding swiftly to issues.

- We take every security complaint seriously whether from users, bug reports, or other channels.

- Security policies apply equally to all employees. No exceptions.


4. Data Classification

4.1 Data and information systems are classified into three categories: 

- Confidential: Highly sensitive data requiring the highest level of protection. Includes customer PII, financial data, authentication credentials, source code, etc. Access restricted to authorized personnel only.

- Internal Use: Proprietary company information requiring protection. Includes policies, contracts, internal communications. Access based on business need-to-know. 

- Public: Information intended for public release, such as marketing materials and product documentation. No special protection required.

4.2 Data owners are responsible for classifying their data and specifying any additional handling requirements.


4.3 Information systems are classified according to the highest level of data they store or process.


5. Data Handling


5.1 Gattaca Tech utilizes AWS and GCP for dat a storage and processing. All data is encrypted at rest and in transit. Encryption keys are managed solely by the CTO, with regular key rotation practices in place. No vendors or contractors have access to systems containing confidential or customer data. 


5.2 Access to sensitive systems and data is strictly controlled through specific user roles. Even the CEO does not have full access to all sensitive information. The CTO is the only individual with the highest level of access.


5.3 All new hires undergo mandatory security onboarding and training. Two-factor authentication is required for all employees across all systems.


5.4 In the event of a security incident, Gattaca Tech has a standard procedure for alerts, handling, and retrospective analysis. To date, there have been zero incidents, breaches, or vulnerabilities.


5.5 Confidential data must be encrypted at rest and in transit, and access is restricted to authorized personnel. It cannot be stored on personal devices or removable media. Paper records must be clearly labeled and securely stored and disposed of. Transfer to external parties requires management approval and contracts.


5.6 Internal Use data access is based on business need. It cannot be transferred externally without approval. Paper records and devices must be securely stored and wiped/destroyed before disposal.


5.7 No special handling is required for Public data.


6. Data Privacy 

- We treat user data with the utmost respect and confidentiality.

- User data must never be shared in team channels or externally.

- We do not and will not do ads. We will not use user data for anything other than serving our users. 

- We must respect and follow the access roles granted to us for each system.

- We do not share user data with any external entity or vendor unless explicitly approved by founders and critically needed for a business function.

7. Monitoring and Awareness

- We closely monitor security reports and complaints from all sources including users, social media, bug bounties, internal investigations and polish sprints. All issues are acted upon and taken seriously.

- Security training is mandatory for new teammates. Since security is P0 and we own it end to end, we continually cover best practices and reminders (ex. enable 2FA) through written policies, examples, all-hands meetings, and team huddles.

- We maintain strong security awareness by over-communicating policies, speaking up about issues, and reinforcing secure practices.


8. Physical Security

- All physical assets including laptops, mobile devices, access cards, and documents must be protected from unauthorized access or theft at all times. Report any misplaced assets to founders@gattacatech.com or message us in slack. It is important that as with all security matters - we over-communicate on these things clearly and fast.

- Workstations must be locked when unattended.


9. Secure Development

- Our services are designed and developed using secure methodologies. We have experience building services and applications that were used by tens of millions of users. We use proven services (ex. Firebase), think about risks ahead of time (pre-mortem), do extensive QA on a # of different setups where our goal and more. 

- We have separate development and product environments. All code that goes to production has been tested and iterated on. For all code that goes to production we do full QA runs and PR reviews.

- Source code is managed securely following best practices. 


10. Data Retention and Disposal

10.1 Data will only be retained while there is a valid business, regulatory or contractual requirement. Data owners will set retention periods, with personal data deleted as soon as no longer needed.

10.2 Confidential and Internal Use data must be securely deleted when no longer required. Paper records will be shredded. Devices will be securely wiped prior to disposal or reuse.

10.3 Third-party vendors storing or processing company data must have adequate data disposal practices.

10.4 Data subject to legal holds is retained as required by the Legal department.


11. Compliance 


Compliance with this policy will be verified through various methods, including audits and business tool reports.


12. Exceptions

Exceptions to this policy must be approved our Chief Technology Officer.


13. Violations

Violations should be reported to the Chief Technology Officer.. Violations may result in disciplinary action up to and including termination of employment.


14. Review 

This policy will be reviewed bi-annually and updated as needed.





Gattaca Tech Security and Data Management Policy

Effective Date: May 5, 2024


1. Purpose 

The purpose of this policy is to ensure that Gattaca Tech data and information systems are properly classified, protected, retained and securely disposed of based on their sensitivity and importance to the company. It is the responsibility of every team member to uphold these principles and practices in their daily work. We are committed to protecting the confidentiality, integrity, and availability of our data and systems, and to maintaining the trust of our users and customers.


2. Scope

This policy applies to all employees, contractors, partners, and anyone else granted access to our systems and data. It covers all information, systems and devices that are owned or leased by Gattaca Tech Inc.

3. Security Principles

- Security is the responsibility of every team member. We must treat security as our top priority daily, not just during onboarding or when releasing a new product.

- We take ownership of security, looking out for risks, reminding each other, setting an example, and responding swiftly to issues.

- We take every security complaint seriously whether from users, bug reports, or other channels.

- Security policies apply equally to all employees. No exceptions.


4. Data Classification

4.1 Data and information systems are classified into three categories: 

- Confidential: Highly sensitive data requiring the highest level of protection. Includes customer PII, financial data, authentication credentials, source code, etc. Access restricted to authorized personnel only.

- Internal Use: Proprietary company information requiring protection. Includes policies, contracts, internal communications. Access based on business need-to-know. 

- Public: Information intended for public release, such as marketing materials and product documentation. No special protection required.

4.2 Data owners are responsible for classifying their data and specifying any additional handling requirements.


4.3 Information systems are classified according to the highest level of data they store or process.


5. Data Handling


5.1 Gattaca Tech utilizes AWS and GCP for dat a storage and processing. All data is encrypted at rest and in transit. Encryption keys are managed solely by the CTO, with regular key rotation practices in place. No vendors or contractors have access to systems containing confidential or customer data. 


5.2 Access to sensitive systems and data is strictly controlled through specific user roles. Even the CEO does not have full access to all sensitive information. The CTO is the only individual with the highest level of access.


5.3 All new hires undergo mandatory security onboarding and training. Two-factor authentication is required for all employees across all systems.


5.4 In the event of a security incident, Gattaca Tech has a standard procedure for alerts, handling, and retrospective analysis. To date, there have been zero incidents, breaches, or vulnerabilities.


5.5 Confidential data must be encrypted at rest and in transit, and access is restricted to authorized personnel. It cannot be stored on personal devices or removable media. Paper records must be clearly labeled and securely stored and disposed of. Transfer to external parties requires management approval and contracts.


5.6 Internal Use data access is based on business need. It cannot be transferred externally without approval. Paper records and devices must be securely stored and wiped/destroyed before disposal.


5.7 No special handling is required for Public data.


6. Data Privacy 

- We treat user data with the utmost respect and confidentiality.

- User data must never be shared in team channels or externally.

- We do not and will not do ads. We will not use user data for anything other than serving our users. 

- We must respect and follow the access roles granted to us for each system.

- We do not share user data with any external entity or vendor unless explicitly approved by founders and critically needed for a business function.

7. Monitoring and Awareness

- We closely monitor security reports and complaints from all sources including users, social media, bug bounties, internal investigations and polish sprints. All issues are acted upon and taken seriously.

- Security training is mandatory for new teammates. Since security is P0 and we own it end to end, we continually cover best practices and reminders (ex. enable 2FA) through written policies, examples, all-hands meetings, and team huddles.

- We maintain strong security awareness by over-communicating policies, speaking up about issues, and reinforcing secure practices.


8. Physical Security

- All physical assets including laptops, mobile devices, access cards, and documents must be protected from unauthorized access or theft at all times. Report any misplaced assets to founders@gattacatech.com or message us in slack. It is important that as with all security matters - we over-communicate on these things clearly and fast.

- Workstations must be locked when unattended.


9. Secure Development

- Our services are designed and developed using secure methodologies. We have experience building services and applications that were used by tens of millions of users. We use proven services (ex. Firebase), think about risks ahead of time (pre-mortem), do extensive QA on a # of different setups where our goal and more. 

- We have separate development and product environments. All code that goes to production has been tested and iterated on. For all code that goes to production we do full QA runs and PR reviews.

- Source code is managed securely following best practices. 


10. Data Retention and Disposal

10.1 Data will only be retained while there is a valid business, regulatory or contractual requirement. Data owners will set retention periods, with personal data deleted as soon as no longer needed.

10.2 Confidential and Internal Use data must be securely deleted when no longer required. Paper records will be shredded. Devices will be securely wiped prior to disposal or reuse.

10.3 Third-party vendors storing or processing company data must have adequate data disposal practices.

10.4 Data subject to legal holds is retained as required by the Legal department.


11. Compliance 


Compliance with this policy will be verified through various methods, including audits and business tool reports.


12. Exceptions

Exceptions to this policy must be approved our Chief Technology Officer.


13. Violations

Violations should be reported to the Chief Technology Officer.. Violations may result in disciplinary action up to and including termination of employment.


14. Review 

This policy will be reviewed bi-annually and updated as needed.