Standard Security Questionnaire Responses

This document provides answers to common security questionnaire questions. For specific questionnaire formats or additional questions, contact security@grayghostdata.com.

Company Information

Question	Response
Company Legal Name	Gray Ghost Data Consultants, LLC
Headquarters Location	United States
Year Established	2024
Number of Employees	10-50
Primary Business	Managed Security Services Provider (MSSP)

Security Program

Do you have a formal information security program?

Yes. We maintain a comprehensive information security program based on industry frameworks including NIST CSF and CIS Controls. Our program includes:

• Documented security policies and procedures
• Executive-level security governance
• Dedicated security personnel
• Regular security assessments and audits
• Security awareness training for all employees

Do you have a Chief Information Security Officer (CISO) or equivalent?

Yes. Security is overseen at the executive level with dedicated security leadership responsible for:

• Security strategy and program management
• Risk assessment and mitigation
• Incident response coordination
• Compliance and audit management

Do you maintain security certifications?

In Progress. We are pursuing SOC 2 Type II certification with an expected completion date in Q4 2026. Our infrastructure providers (Supabase, Google Cloud, Vercel) maintain SOC 2 Type II certifications.

Data Protection

Where is customer data stored?

Customer data is stored in the United States using Supabase (PostgreSQL) hosted on AWS infrastructure. Data residency is limited to US data centers.

Is customer data encrypted?

Yes.

• Data at rest: AES-256 encryption


• Data in transit: TLS 1.3


• Backups: AES-256 encryption

Do you share customer data with third parties?

We use sub-processors for service delivery. All sub-processors are bound by Data Processing Agreements. See our Data Protection page for the full list.

What is your data retention policy?

Customer data is retained for the duration of the service agreement plus 30 days. Upon contract termination, data can be exported and then deleted upon request.

Access Control

Do you require multi-factor authentication?

Yes. MFA is required for:

• All employee access to internal systems


• Administrative access to production systems


• Customer portal access (optional but recommended)

How do you manage access to customer data?

• Role-based access control (RBAC)
• Least privilege principle enforced
• Quarterly access reviews
• Automated deprovisioning upon termination
• Row-level security at database level for tenant isolation

Do you have a formal onboarding/offboarding process?

Yes. Our HR and IT teams follow documented procedures for:

• Background checks for new hires


• Security training before system access


• Access provisioning based on role


• Immediate access revocation upon termination


• Equipment return and data wipe procedures

Network Security

Do you use firewalls and intrusion detection?

Yes.

• Web Application Firewall (WAF) via Cloudflare


• DDoS protection at network and application layers


• Network segmentation between environments


• Intrusion detection via security monitoring

Do you perform vulnerability scanning?

Yes.

• Weekly automated vulnerability scans


• Container image scanning on every build


• Dependency vulnerability scanning daily


• Annual third-party penetration testing

Do you have a patch management process?

Yes. Patches are applied based on severity:

• Critical: Within 24 hours


• High: Within 7 days


• Medium: Within 30 days


• Low: Within 90 days

Incident Response

Do you have an incident response plan?

Yes. Our incident response plan includes:

• Detection and alerting procedures


• Escalation paths and responsibilities


• Containment and eradication steps


• Communication templates for stakeholders


• Post-incident review process

Will you notify us of security incidents?

Yes. Customers are notified of security incidents affecting their data within 72 hours of confirmation. See our Notification Process for details.

Business Continuity

Do you have a business continuity plan?

Yes. Our business continuity program includes:

• Disaster recovery procedures


• Backup and restoration testing


• Alternative work arrangements


• Communication plans

What are your recovery objectives?

• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour

How often do you test your DR plan?

Disaster recovery procedures are tested quarterly, with a full DR exercise conducted annually.

Compliance

Do you support GDPR compliance?

Yes. We support GDPR compliance through:

• Data Processing Agreements


• Data subject rights support (access, deletion, portability)


• Breach notification procedures


• Sub-processor documentation

Do you support CCPA compliance?

Yes. We support CCPA compliance through:

• Data inventory and mapping


• Consumer rights request handling


• Opt-out mechanisms where applicable

Additional Resources

• Security Program Overview
• Data Protection
• Infrastructure Security
• Compliance Mappings
• Incident Response Policy

Contact

For additional security questions or to request a custom questionnaire response:

Email: security@grayghostdata.com
Response Time: Within 2 business days