Security & Data Management

Gattaca Tech Security and Data Management Policy

Effective Date: May 5, 2024


1. Purpose 

The purpose of this policy is to ensure that Gattaca Tech data and information systems are properly classified, protected, retained and securely disposed of based on their sensitivity and importance to the company. It is the responsibility of every team member to uphold these principles and practices in their daily work. We are committed to protecting the confidentiality, integrity, and availability of our data and systems, and to maintaining the trust of our users and customers.


2. Scope

This policy applies to all employees, contractors, partners, and anyone else granted access to our systems and data. It covers all information, systems and devices that are owned or leased by Gattaca Tech Inc.

3. Security Principles

- Security is the responsibility of every team member. We must treat security as our top priority daily, not just during onboarding or when releasing a new product.

- We take ownership of security, looking out for risks, reminding each other, setting an example, and responding swiftly to issues.

- We take every security complaint seriously whether from users, bug reports, or other channels.

- Security policies apply equally to all employees. No exceptions.


4. Data Classification

4.1 Data and information systems are classified into three categories: 

- Confidential: Highly sensitive data requiring the highest level of protection. Includes customer PII, financial data, authentication credentials, source code, etc. Access restricted to authorized personnel only.

- Internal Use: Proprietary company information requiring protection. Includes policies, contracts, internal communications. Access based on business need-to-know. 

- Public: Information intended for public release, such as marketing materials and product documentation. No special protection required.

4.2 Data owners are responsible for classifying their data and specifying any additional handling requirements.


4.3 Information systems are classified according to the highest level of data they store or process.


5. Data Handling


5.1 Gattaca Tech utilizes AWS and GCP for dat a storage and processing. All data is encrypted at rest and in transit. Encryption keys are managed solely by the CTO, with regular key rotation practices in place. No vendors or contractors have access to systems containing confidential or customer data. 


5.2 Access to sensitive systems and data is strictly controlled through specific user roles. Even the CEO does not have full access to all sensitive information. The CTO is the only individual with the highest level of access.


5.3 All new hires undergo mandatory security onboarding and training. Two-factor authentication is required for all employees across all systems.


5.4 In the event of a security incident, Gattaca Tech has a standard procedure for alerts, handling, and retrospective analysis. To date, there have been zero incidents, breaches, or vulnerabilities.


5.5 Confidential data must be encrypted at rest and in transit, and access is restricted to authorized personnel. It cannot be stored on personal devices or removable media. Paper records must be clearly labeled and securely stored and disposed of. Transfer to external parties requires management approval and contracts.


5.6 Internal Use data access is based on business need. It cannot be transferred externally without approval. Paper records and devices must be securely stored and wiped/destroyed before disposal.


5.7 No special handling is required for Public data.


6. Data Privacy 

- We treat user data with the utmost respect and confidentiality.

- User data must never be shared in team channels or externally.

- We do not and will not do ads. We will not use user data for anything other than serving our users. 

- We must respect and follow the access roles granted to us for each system.

- We do not share user data with any external entity or vendor unless explicitly approved by founders and critically needed for a business function.

7. Monitoring and Awareness

- We closely monitor security reports and complaints from all sources including users, social media, bug bounties, internal investigations and polish sprints. All issues are acted upon and taken seriously.

- Security training is mandatory for new teammates. Since security is P0 and we own it end to end, we continually cover best practices and reminders (ex. enable 2FA) through written policies, examples, all-hands meetings, and team huddles.

- We maintain strong security awareness by over-communicating policies, speaking up about issues, and reinforcing secure practices.


8. Physical Security

- All physical assets including laptops, mobile devices, access cards, and documents must be protected from unauthorized access or theft at all times. Report any misplaced assets to founders@gattacatech.com or message us in slack. It is important that as with all security matters - we over-communicate on these things clearly and fast.

- Workstations must be locked when unattended.


9. Secure Development

- Our services are designed and developed using secure methodologies. We have experience building services and applications that were used by tens of millions of users. We use proven services (ex. Firebase), think about risks ahead of time (pre-mortem), do extensive QA on a # of different setups where our goal and more. 

- We have separate development and product environments. All code that goes to production has been tested and iterated on. For all code that goes to production we do full QA runs and PR reviews.

- Source code is managed securely following best practices. 


10. Data Retention and Disposal

10.1 Data will only be retained while there is a valid business, regulatory or contractual requirement. Data owners will set retention periods, with personal data deleted as soon as no longer needed.

10.2 Confidential and Internal Use data must be securely deleted when no longer required. Paper records will be shredded. Devices will be securely wiped prior to disposal or reuse.

10.3 Third-party vendors storing or processing company data must have adequate data disposal practices.

10.4 Data subject to legal holds is retained as required by the Legal department.


11. Compliance 


Compliance with this policy will be verified through various methods, including audits and business tool reports.


12. Exceptions

Exceptions to this policy must be approved our Chief Technology Officer.


13. Violations

Violations should be reported to the Chief Technology Officer.. Violations may result in disciplinary action up to and including termination of employment.


14. Review 

This policy will be reviewed bi-annually and updated as needed.







Gattaca Tech, Inc. Privacy Policy

Effective Date: May 5, 2024


This Privacy Policy describes how Gattaca Tech, Inc. ("Company," "we," or "us") collects, uses, and shares information about you when you access or use our website located at https://gattacatech.com/ (the "Site") or use our services (collectively, the "Services"). Please review this Privacy Policy carefully. By using our Services, you agree to the terms of this Privacy Policy.


Information We Collect

We collect information you provide directly to us, such as when you create an account, update your profile, or contact us for support. This information may include your name, email address, phone number, and any other information you choose to provide.

When you access or use our Services, we automatically collect certain information about your device and usage. This includes:

- Log Information: We collect information about your use of the Services, such as IP address, browser type, access times, pages viewed, and referring website.  

- Device Information: We collect information about the device you use to access our Services, such as hardware model, operating system and version, and unique device identifiers.

- Location Information: We may collect information about the location of your device each time you access or use our Services.


Use of Information

We use the information we collect to provide, maintain, and improve our Services, to develop new services, and to protect our Company and our users. We also use the information to:

- Personalize your experience and deliver content and product features relevant to your interests.

- Send you technical notices, updates, security alerts, and support and administrative messages.

- Communicate with you about products, services, promotions, and events, and provide other news and information we think will be of interest to you.

- Monitor and analyze trends, usage, and activities in connection with our Services.


Sharing of Information

We do not share, sell, or otherwise disclose your personal information for purposes other than those outlined in this Privacy Policy. We may share your information with:

- Service providers and vendors who perform services for us.

- Law enforcement, government authorities, or other third parties when we believe necessary to comply with law or to protect our rights and the rights of others.

- In connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition of all or a portion of our business by another company.


Security

The security of your information is important to us. We take reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction.


Data Retention 

We store the information we collect about you for as long as is necessary for the purpose(s) for which we collected it or for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations. 


Your Choices

You may update, correct or delete information about you at any time by emailing us at founders@gattacatech.com. You may opt out of marketing communications from us by following the instructions in those communications. 


Children's Privacy

We do not knowingly collect or solicit any information from anyone under the age of 13 on this Site. In the event that we learn that we have inadvertently collected personal information from a child under age 13, we will delete that information as quickly as possible.  If you believe that we might have any information from a child under 13, please contact us at founders@gattacatech.com.


Contact Us

If you have any questions about this Privacy Policy, please contact us at:


Gattaca Tech, Inc.  

36 Cooper Square, Floor 6

New York, New York 10003

Email: founders@gattacatech.com


Changes to Our Privacy Policy

We may modify or update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal or regulatory reasons. If we make material changes to this Privacy Policy, we will notify you by email or by posting the revised Privacy Policy on our Site. Your continued use of our Services after any modification to this Privacy Policy will constitute your acceptance of such modification.

founders@trygattaca.com

36 Cooper Sq, Floor 6

New York, NY, 10003

Backed by

South Park Commons

© 2024 All rights reserved.

founders@trygattaca.com

36 Cooper Sq, Floor 6

New York, NY, 10003

Backed by

South Park Commons

© 2024 All rights reserved.

founders@trygattaca.com

36 Cooper Sq, Floor 6

New York, NY, 10003

Backed by

South Park Commons

© 2024 All rights reserved.