Our security principles
Plain English
- Encrypt by default. Every byte in transit and at rest is encrypted.
- Redact at capture.PII detection runs before screenshots are persisted, so secrets don't hit our disks in the first place.
- Least privilege. Only the engineers who need access get it, and only for as long as they need it.
- Defense in depth. No single control should be load-bearing. We assume any layer can fail.
Infrastructure
Guidyy runs on managed cloud providers in the US. Application services run in isolated, hardened containers. Object storage (Cloudflare R2) and our managed Postgres are scoped to per-environment credentials — production and staging never share data planes. All inbound traffic is fronted by TLS 1.2+ with modern cipher suites and HSTS preload.
Data protection
Plain English
- In transit: TLS 1.2+ and HSTS.
- At rest: AES-256 on storage providers. Backups encrypted with separate keys.
- PII auto-blur:when Smart Redact is enabled, recordings can be processed for emails, phone numbers, credit-card-shaped strings, and other sensitive text before they're stored.
- DOM sanitization: rrweb recordings are sanitized for replay safety, and password fields are masked.
- Share links are unguessable 128-bit tokens that you can revoke anytime.
Access control
Engineer access to production is gated by SSO with hardware-backed MFA and short-lived credentials. Every production action is logged. We don't look at customer guides except as needed to investigate a specific support ticket you've filed, an abuse report, or a security incident — and only with dual-control approval.
Monitoring & incident response
We collect distributed traces and structured logs across the request path. An on-call engineer is paged on error-rate, latency, and security alerts 24/7. If an incident affects your data, we'll notify affected users within 72 hours of confirmation with what we know, what we're doing, and what you should do.
Sub-processors
We list every vendor that processes customer data on our Privacy page. When we add or remove one, we update that list before the change takes effect.
Responsible disclosure
Plain English
Please give us a reasonable window to fix issues before public disclosure, and don't access other users' data or degrade the service while testing. Good-faith research won't result in legal action from us.
Compliance roadmap
We're a small team. Today we operate to SOC 2-aligned controls and are working toward formal SOC 2 Type II attestation. We're also building out a public status page and a customer-trust portal where enterprise customers can request our security questionnaire, DPA, and sub-processor list directly. If you're evaluating us for an enterprise rollout and need any of that today, email amit63390@gmail.com and we'll move quickly.
Got a question? Talk to a human.
Legal text can be heavy. If anything here is unclear or you want a copy of your data, drop us a line and we'll reply within two business days.