Enterprise-grade security for your AI conversations
Your conversations and knowledge base deserve serious protection. Goldilocks is built with security at its core - not bolted on as an afterthought.
Certifications & Compliance
Standards we follow
Enterprise-grade security
Security controls covering confidentiality, availability, and processing integrity, aligned with industry standards.
GDPR
Built for global privacy requirements with data subject rights, consent management, and cross-border transfer protections.
CCPA
California privacy compliance with data access, deletion, and opt-out capabilities.
Security Practices
How we protect your data
Data Protection
Encryption in Transit
All data transmitted over TLS (1.2 and above). No unencrypted connections accepted.
Encryption at Rest
All stored data encrypted using AES-256. GCP-managed encryption for database and storage.
Data Isolation
Complete tenant isolation at the database level. Your data is never mixed with other accounts.
Secure Deletion
When you delete data or close your account, it's permanently removed from active systems.
Infrastructure Security
Cloud Infrastructure
Hosted on Google Cloud Platform with enterprise-grade security, redundancy, and availability.
Network Security
Private networking, firewall rules, and DDoS protection. No public database access.
Automated Backups
Daily encrypted backups with point-in-time recovery.
Monitoring & Alerting
24/7 infrastructure monitoring with automated alerting for security and performance issues.
Access Control
Role-Based Access
Granular permissions system. Team members only see what they need to see.
Audit Logging
Comprehensive logs of all access and changes.
Two-Factor Authentication
Available for all accounts. Enforce 2FA for your entire team.
Session Management
Automatic session timeouts. Removed team members lose access immediately.
AI & Data Practices
No Model Training
We never use your data to train AI models. Your content stays yours.
Grounded Responses
AI responses are grounded in your documentation to minimise inaccuracies.
Source Attribution
Every AI response can be traced back to specific sources in your knowledge base.
Human Oversight
Full conversation visibility. Review, export, or delete any conversation.
Security FAQ
Common questions
Where is my data stored?
All data is stored on Google Cloud Platform. Our primary production environment uses US regions (e.g. us-central1).
Do you train AI models on my data?
No. We never use your knowledge base content, conversations, or any data to train AI models. Your data is only used to power your own Goldilocks instance.
Who can access my data?
Your data is accessible only to your team members with appropriate permissions. Goldilocks employees can access data only for support purposes when you explicitly request help, and all access is logged.
What happens when I delete data?
Deleted data is permanently removed from active systems. Backup retention varies; automated database backups are retained for 7 days.
How do you handle security incidents?
We have a documented incident response plan. In the event of a security incident affecting your data, affected customers are notified in accordance with applicable law (e.g. within 72 hours where required under GDPR).
What subprocessors do you use?
We use Google Cloud Platform (infrastructure and OAuth), OpenAI (AI processing), Stripe (payments), and Mailgun (transactional email). See our Privacy Policy for the full list and locations.
Questions about security?
Our security team is happy to answer questions about our practices.