Enterprise-grade security for your AI conversations
Your conversations and knowledge base deserve serious protection. Goldilocks is built with security at its core—not bolted on as an afterthought.
Certifications & Compliance
Independently verified
SOC2 Type 1
Independent audit of security controls covering confidentiality, availability, and processing integrity.
GDPR
Built for global privacy requirements with data subject rights, consent management, and cross-border transfer protections.
CCPA
California privacy compliance with data access, deletion, and opt-out capabilities.
Security Practices
How we protect your data
Data Protection
Encryption in Transit
All data transmitted over TLS 1.3. No unencrypted connections accepted.
Encryption at Rest
All stored data encrypted using AES-256. Encryption keys managed through Cloud KMS.
Data Isolation
Complete tenant isolation at the database level. Your data is never mixed with other accounts.
Secure Deletion
When you delete data or close your account, it's permanently removed from all systems.
Infrastructure Security
Cloud Infrastructure
Hosted on Google Cloud Platform with enterprise-grade security, redundancy, and availability.
Network Security
Private networking, firewall rules, and DDoS protection. No public database access.
Automated Backups
Daily encrypted backups with point-in-time recovery. Stored in separate geographic regions.
Monitoring & Alerting
24/7 infrastructure monitoring with automated alerting for security and performance issues.
Access Control
Role-Based Access
Granular permissions system. Team members only see what they need to see.
Audit Logging
Comprehensive logs of all access and changes. Available for compliance reviews.
Two-Factor Authentication
Available for all accounts. Enforce 2FA for your entire team.
Session Management
Automatic session timeouts and the ability to revoke sessions remotely.
AI & Data Practices
No Model Training
We never use your data to train AI models. Your content stays yours.
Grounded Responses
AI only responds using your documentation. No hallucinations or made-up answers.
Source Attribution
Every AI response can be traced back to specific sources in your knowledge base.
Human Oversight
Full conversation visibility. Review, export, or delete any conversation.
Security FAQ
Common questions
Where is my data stored?
All data is stored on Google Cloud Platform in US data centers. For EU customers with specific data residency requirements, contact us to discuss options.
Do you train AI models on my data?
No. We never use your knowledge base content, conversations, or any data to train AI models. Your data is only used to power your own Goldilocks instance.
Who can access my data?
Your data is accessible only to your team members with appropriate permissions. Goldilocks employees can access data only for support purposes when you explicitly request help, and all access is logged.
What happens when I delete data?
Deleted data is permanently removed from all active systems immediately. Backups containing deleted data are purged within 30 days.
How do you handle security incidents?
We have a documented incident response plan. In the event of a security incident affecting your data, you would be notified within 72 hours with details and remediation steps.
Can I get a copy of your SOC2 report?
Yes. Users on Growth and Scale plans can request a copy of our SOC2 Type 1 report by contacting support.
Do you offer a DPA (Data Processing Agreement)?
Yes. We provide a GDPR-compliant DPA for all customers. Contact support to execute one for your organization.
What subprocessors do you use?
We use a minimal set of vetted subprocessors: Google Cloud Platform (infrastructure), OpenAI (AI processing), and Stripe (payments). A complete list is available on request.
Questions about security?
Our security team is happy to discuss your requirements, answer questions about our practices, or provide documentation for your compliance needs.