Data Protection
Data Protection
Gray Ghost Data Consultants implements comprehensive data protection measures to ensure the confidentiality, integrity, and availability of client information throughout its lifecycle.
Data Classification
We classify data into categories to apply appropriate protections:
| Classification | Description | Examples |
|---|---|---|
| Public | Information intended for public release | Marketing materials, public documentation |
| Internal | Business information for internal use | Policies, procedures, general business data |
| Confidential | Sensitive business or client data | Client lists, contracts, financial data |
| Restricted | Highly sensitive data requiring strict controls | PII, credentials, security configurations |
Data Handling Practices
Data Collection
- We collect only data necessary for service delivery
- Collection purposes are documented and communicated
- Consent is obtained where required by law
Data Storage
- All client data stored in Supabase (PostgreSQL) with encryption at rest
- Database encryption uses AES-256
- Backups encrypted and stored in geographically separate locations
- Data residency: United States (US-based data centers)
Data Transmission
- All data in transit encrypted using TLS 1.3
- Certificate pinning for mobile applications
- API communications over HTTPS only
- Internal service communication via encrypted channels
Data Retention
- Data retained only as long as necessary for business purposes
- Retention periods documented per data type
- Automated deletion workflows for expired data
- Client data deleted within 30 days of contract termination upon request
Encryption Standards
| Data State | Encryption Standard | Key Management |
|---|---|---|
| At Rest | AES-256 | Supabase managed keys |
| In Transit | TLS 1.3 | Automated certificate management |
| Backups | AES-256 | Separate backup encryption keys |
| Credentials | Argon2id hashing | N/A (one-way hash) |
Access Controls
Database Access
- Production database access restricted to service accounts
- No direct developer access to production data
- Read replicas used for analytics (no PII)
- Query logging enabled for audit trails
Application Access
- Row-Level Security (RLS) enforced at database level
- Tenant isolation prevents cross-tenant data access
- API endpoints authenticated via Clerk JWT tokens
- Rate limiting prevents bulk data extraction
Administrative Access
- Admin access requires MFA and VPN
- Privileged access reviewed quarterly
- Just-in-time access for emergency situations
- All admin actions logged and auditable
Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with:
- All sub-processors handling client data
- Cloud infrastructure providers (Supabase, Vercel, Google Cloud)
- Third-party service integrations
Sub-Processors
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Database hosting | All client data |
| Vercel | Frontend hosting | Session data, logs |
| Google Cloud | Infrastructure | Backup storage |
| Clerk | Authentication | User identities |
| Resend | Email delivery | Email addresses, notifications |
Data Subject Rights
We support data subject rights including:
- Right to Access: Request a copy of your data
- Right to Rectification: Correct inaccurate data
- Right to Erasure: Request deletion of your data
- Right to Portability: Export your data in standard formats
- Right to Object: Opt out of certain data processing
To exercise these rights, contact: privacy@grayghostdata.com
Breach Notification
In the event of a data breach:
- Detection: Automated monitoring and alerting
- Assessment: Scope and impact evaluation within 24 hours
- Containment: Immediate action to prevent further exposure
- Notification: Affected parties notified within 72 hours
- Remediation: Root cause analysis and preventive measures
See our Incident Response Policy for full details.
Data Protection Contacts
Data Protection Officer: dpo@grayghostdata.com
Privacy Inquiries: privacy@grayghostdata.com
Security Team: security@grayghostdata.com