Data Security
January 2025
January 2025
(Version 1.1)
Enterprise-Grade Security
At GoGorilla, we implement comprehensive security measures to protect your personal data through defense-in-depth protection, industry-leading standards, and continuous monitoring. We don't rely on just one security measure. Instead, we layer multiple protections on top of each other, so even if one layer is compromised, your data remains safe.
Security Framework Overview
Our security framework is built on industry best practices and regulatory requirements, providing multiple layers of protection for your data.
Defense-in-Depth Protection
Layered Security: Multiple security controls at different levels
Risk-Based Approach: Security measures proportionate to data sensitivity and risk
Continuous Improvement: Regular security assessments and enhancements
Incident Response: Comprehensive incident detection and response capabilities
Regulatory Compliance
Our security measures meet or exceed requirements under:
UK GDPR Article 32: Security of processing requirements
ISO 27001: Information security management system
SOC 2 Type II: Security, availability, and confidentiality controls
PCI DSS: Payment card industry data security standards
Technical Safeguards
We implement comprehensive technical security measures to protect your data from unauthorised access, alteration, or destruction.
Transfer Impact Assessment
Data State
Encryption Method
Key Management
Standards
Data at Rest
AES-256 encryption
Hardware Security Modules (HSMs)
FIPS 140-2 Level 3
Data in Transit
TLS 1.3 with Perfect Forward Secrecy
Certificate pinning, HSTS
NIST SP 800-52
Data in Processing
Application-level encryption
Secure enclaves, confidential computing
Intel SGX, AMD SEV
Backup Data
AES-256 with separate keys
Offline key storage
NIST SP 800-57
Access Controls and Authentication
Only the right people can access your data, and they can only access what they need to do their job.
Zero Trust Architecture
A Zero Trust architecture is enforced, wherein access is granted based on the principle of least privilege and is subject to continuous verification.
Multi-Factor Authentication:
Required for all administrative access
Combines something you know (password) with something you have (phone/token)
Prevents unauthorised access even if passwords are compromised
Role-Based Access Control: Principle of least privilege.
Minimum Necessary Access: People only get access to what they need for their job
Regular Reviews: Access permissions are reviewed and updated regularly
Automated Deprovisioning: Access is automatically removed when people leave
Just-in-Time Access: Temporary elevated privileges.
Continuous Verification: Ongoing authentication and authorisation.
Privileged Access Management: Secure management of administrative access.
Special controls for high-risk administrative functions
Extra monitoring and approval for sensitive operations
Time-limited access for specific tasks
Network Security
Multiple layers of network protection ensure that threats are detected and stopped before they can reach your data.
Network Segmentation: Isolated network zones for different data types.
Sensitive systems are isolated from general networks.
Multiple security zones with different access requirements.
Prevents lateral movement if one system is compromised.
Web Application Firewall: Protection against common web attacks.
Protection against common web attacks.
Filtering of malicious traffic before it reaches our systems.
Regular updates to protect against new threats.
DDoS Protection: Distributed denial of service mitigation.
Intrusion Detection: Real-time monitoring for suspicious activity.
Sensitive systems are isolated from general networks.
Multiple security zones with different access requirements.
Prevents lateral movement if one system is compromised.
VPN Access: Secure remote access for authorised personnel.
Regular Security Testing:
Vulnerability assessments every quarter.
Penetration testing by external security experts.
Continuous security architecture reviews.
System Monitoring and Logging
We know what's happening with your data at all times and can respond immediately to any threats.
Comprehensive Logging:
Every access to your data is logged and tracked.
Detailed records of who accessed what and when.
Tamper-proof logs that can't be altered.
Real-Time Monitoring:
24/7 Security Operations Centre (SOC) monitoring.
Automated alerts for suspicious activities.
Immediate response to potential threats.
Security Information and Event Management (SIEM):
Centralised analysis of all security logs.
Pattern recognition to detect sophisticated attacks.
Correlation of events across multiple systems.
Automated Threat Detection:
AI-powered threat detection systems.
Behavioral analytics to spot unusual activities.
Automatic response to certain types of threats.
Organisational Measures
Our organisational security measures ensure that people, processes, and policies work together to protect your data.
Security Governance
Security is a top priority at the highest levels of our organisation.
Governance Structure
Leadership Team:
Data Protection Officer (DPO): Oversees all privacy and data protection matters.
Chief Information Security Officer (CISO): Leads our security strategy and implementation.
Information Security Committee: Executive oversight of security decisions.
Regular Assessments:
Security risk assessments.
Management reviews of security posture.
Incident response team with defined roles.
Personnel Security
Everyone who might access your data is properly vetted, trained, and bound by strict security obligations.
Staff Security Measures
Background Checks:
All personnel with access to personal data undergo background verification.
Regular re-verification for sensitive roles.
Continuous monitoring for security clearance.
Training and Awareness:
Mandatory Security Training: All employees complete comprehensive security training.
Specialised Training: Extra training for personnel handling sensitive data.
Regular Updates: Ongoing training on new threats and best practices.
Security Culture: Building security awareness into everything we do.
Contractual Obligations:
Confidentiality agreements for all personnel.
Security obligations in employment contracts.
Clear consequences for security violations.
Vendor Management
We ensure that our partners maintain the same high security standards we do.
Due Diligence:
Comprehensive security assessments of all vendors.
Regular reviews of third-party security practices.
Contractual security requirements for all partners.
Ongoing Monitoring:
Regular security assessments of third-party services.
Audit rights to verify security compliance.
Incident notification and response coordination.
Physical Security
Your data is protected by physical security measures that are similar to banks and government facilities.
Secure Data Centres:
Multi-layered physical access controls.
Biometric authentication for sensitive areas.
24/7 security monitoring and guards.
Environmental Controls:
Climate control and monitoring systems.
Fire suppression and detection systems.
Backup power and redundant systems.
Secure Disposal:
Certified destruction of hardware containing personal data.
Chain of custody documentation.
Verification of complete data destruction.
Office Security:
Clean desk and clear screen policies.
Secure storage for sensitive documents.
Visitor management and access controls.
Security Standards Compliance
We maintain certifications and compliance with leading security standards to demonstrate our commitment to data protection.
Standard/Certification
Scope
Audit Frequency
Status
ISO 27001
Information Security Management System
Annual surveillance, 3-year recertification
Certified
SOC 2 Type II
Security, Availability, Confidentiality
Annual audit
Compliant
PCI DSS Level 1
Payment Card Data Security
Annual assessment
Compliant
Cyber Essentials Plus
UK Government Cyber Security
Annual certification
Certified
Data Breach Prevention and Response
We maintain comprehensive capabilities to prevent, detect, and respond to security incidents.
Prevention Measures
Data Loss Prevention (DLP):
Systems that prevent unauthorised data exfiltration.
Monitoring of data movement and access patterns.
Automatic blocking of suspicious data transfers.
Email and Endpoint Security:
Advanced email security gateways.
Anti-malware and endpoint protection.
Regular security updates and patches.
Security Awareness:
Training to prevent social engineering attacks.
Phishing simulation and education.
Incident reporting and response training.
Secure Development:
Security built into our development process.
Code review and security testing.
Regular security assessments of applications.
Detection Capabilities
24/7 Monitoring:
Security Operations Centre with round-the-clock monitoring.
Real-time threat detection and analysis.
Immediate response to security incidents.
Advanced Analytics:
User and Entity Behavior Analytics (UEBA).
Machine learning for threat detection.
Pattern recognition for sophisticated attacks.
Regular Testing:
Continuous vulnerability scanning.
Regular penetration testing.
Security assessment and improvement.
Response Procedures
Incident Response Plan:
Documented procedures for security incidents.
Defined escalation and communication procedures.
Regular testing and updates of response plans.
Rapid Response:
Immediate containment of security incidents.
Forensic investigation and evidence preservation.
Quick eradication of threats and recovery.
Communication:
Clear communication plans for stakeholders.
Regulatory notification procedures where required.
Transparent communication with affected users.
Continuous Security Improvement
Security is an ongoing process. We continuously assess, monitor, and improve our security posture.
Regular Assessments
Annual Penetration Testing:
External security experts test our defenses.
Comprehensive testing of all systems and applications.
Detailed reports and remediation plans.
Quarterly Vulnerability Assessments:
Regular scanning for security vulnerabilities.
Prompt remediation of identified issues.
Tracking and reporting of security metrics.
Security Architecture Reviews:
Regular review of security design and implementation.
Assessment of new technologies and services.
Continuous improvement of security controls.
Security Metrics and Monitoring
Key Performance Indicators (KPIs):
Security incident response times.
Vulnerability remediation timeframes.
Security training completion rates.
System availability and performance metrics.
Threat Intelligence:
Real-time monitoring of emerging threats.
Integration of threat intelligence into security controls.
Proactive defense against new attack methods.
Lessons Learned:
Analysis of security incidents and near-misses.
Integration of lessons learned into security practices.
Continuous improvement of security procedures.
Security Questions
Email:
security@gogorilla.com
For:
General security inquiries
Response:
Within 24 hours
Security Incidents
Email:
security@gogorilla.com
Phone:
+44 (0) 20 XXXX XXXX
Response:
Immediate
Security Questions
Email:
privacy@gogorilla.com
Response:
Within 48 hours
For:
General privacy inquiries, policy questions
Security Incidents
Email:
privacy@gogorilla.com
For:
Data subject rights requests, privacy concerns
Your data's journey around the world should be as secure as its stay at home. We're committed to ensuring that international transfers enhance your experience while maintaining the highest levels of data protection.
Last Updated: January 2025
Version: 1.1
