Security is a core concern for everything we ship. Each product has its own security model documented on its product page; this page summarizes the principles that hold across the catalog.

Core principles

• Local-first by default. Where a product can run on your machine instead of ours, it does. Canopy is the canonical example — your code never leaves your environment.
• Minimal data collection. Products collect what they need to function and nothing more. Per-product detail lives in each product's privacy and security pages.
• Encryption in transit. All public endpoints serve over HTTPS with HSTS preload. No mixed-content, no plaintext APIs.
• Responsible disclosure. If you find a security issue, we want to hear about it before anyone else does.

Per-product details

• Canopy security page — data handling, license heartbeat details, threat model.

Reporting a vulnerability

Email privacy@gulfshieldtech.com with details of the issue. We aim to acknowledge within two business days. Please don't disclose publicly until we've had a chance to investigate and ship a fix.