Infrastructure Security
Gray Ghost Data Consultants operates a cloud-native infrastructure designed for security, reliability, and scalability. This document outlines our infrastructure security controls.
Cloud Architecture
Platform Components
| Component | Provider | Purpose |
|---|
| Frontend Hosting | Vercel | Next.js application hosting |
| API Backend | Google Cloud Run | FastAPI services |
| Database | Supabase | PostgreSQL with built-in security |
| Authentication | Clerk | Identity and access management |
| CDN/WAF | Cloudflare | DDoS protection and caching |
| Email | Resend | Transactional email delivery |
Environment Separation
We maintain strict separation between environments:
Production → production.grayghostdata.com
Staging → staging.grayghostdata.com
Development → dev.grayghostdata.com (internal only)
- No production data in non-production environments
- Separate credentials and secrets per environment
- Network isolation between environments
- Promotion pipeline with security gates
Network Security
Perimeter Defense
- Web Application Firewall (WAF): Cloudflare WAF with OWASP ruleset
- DDoS Protection: Layer 3/4/7 DDoS mitigation via Cloudflare
- Rate Limiting: Application-level rate limiting (100 req/min per client)
- IP Allowlisting: Available for enterprise clients
Traffic Encryption
- All external traffic encrypted via TLS 1.3
- HSTS enabled with 2-year max-age
- Certificate transparency logging
- Automated certificate renewal via Let's Encrypt
Internal Communication
- Service-to-service communication authenticated
- Internal APIs not exposed to public internet
- Webhook endpoints protected by shared secrets
- Database connections via encrypted tunnels
Compute Security
Container Security
- Minimal base images (distroless where possible)
- No root privileges in containers
- Read-only file systems
- Resource limits enforced (CPU, memory)
Cloud Run Configuration
# Security settings applied to all services
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
Secrets Management
- Secrets stored in Google Cloud Secret Manager
- Runtime injection (never in code or images)
- Automated secret rotation where supported
- Access to secrets logged and auditable
Database Security
Supabase Configuration
- Row Level Security (RLS): Enforced on all tables
- Connection Pooling: PgBouncer for connection management
- SSL Required: All database connections require SSL
- IP Restrictions: Database accessible only from application services
Access Control
-- Example RLS policy (tenant isolation)
CREATE POLICY "tenant_isolation" ON clients
FOR ALL
USING (tenantid = auth.jwt() ->> 'tenantid');
Backup Strategy
| Type | Frequency | Retention | Location |
|---|
| Point-in-Time | Continuous | 7 days | Supabase |
| Daily Snapshot | Daily | 30 days | GCS (encrypted) |
| Weekly Archive | Weekly | 1 year | GCS (encrypted) |
Monitoring and Logging
Security Monitoring
- SIEM Integration: Centralized log aggregation
- Anomaly Detection: Automated alerting on suspicious patterns
- Audit Logging: All administrative actions logged
- Uptime Monitoring: 99.9% availability target
Log Retention
| Log Type | Retention | Storage |
|---|
| Application Logs | 30 days | Cloud Logging |
| Security Events | 1 year | SIEM |
| Audit Logs | 7 years | Archived storage |
| Access Logs | 90 days | Cloud Logging |
Alerting Thresholds
| Event | Threshold | Response |
|---|
| Auth Failures | >100/5min | Auto-block + alert |
| 5xx Errors | >10/min | Page on-call |
| Rate Limit Exceeded | >50/10min | Alert |
| SLA Breach | Any | Page on-call |
Vulnerability Management
Scanning Schedule
- Container Images: Scanned on every build
- Dependencies: Daily dependency vulnerability scan
- Infrastructure: Weekly infrastructure scanning
- Penetration Testing: Annual third-party assessment
Patch Management
| Priority | SLA | Description |
|---|
| Critical | 24 hours | Actively exploited vulnerabilities |
| High | 7 days | High CVSS, no known exploit |
| Medium | 30 days | Moderate risk vulnerabilities |
| Low | 90 days | Low risk, scheduled maintenance |
Disaster Recovery
Recovery Objectives
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
Failover Capabilities
- Multi-region database replicas (standby)
- Automated failover for compute services
- DNS failover for regional outages
- Regular DR testing (quarterly)
Compliance Certifications
Our infrastructure providers maintain:
| Provider | Certifications |
|---|
| Google Cloud | SOC 1/2/3, ISO 27001, PCI DSS |
| Supabase | SOC 2 Type II |
| Vercel | SOC 2 Type II |
| Cloudflare | SOC 2 Type II, ISO 27001 |