Legal
How we protect your data and our platform
Encryption in transit
TLS 1.3 on all connections
Encryption at rest
AES-256 for all stored data
Password storage
bcrypt with salting
Galcios is hosted on Vercel's global edge network with data centers compliant with SOC 2 Type II standards. Our database uses managed PostgreSQL with automated backups every 6 hours and point-in-time recovery. All API keys and secrets are stored in encrypted environment variables and never exposed in client-side code.
User passwords are hashed using bcrypt with a cost factor of 12. We support email/password and Google OAuth authentication. Session tokens are short-lived (24 hours) and invalidated on logout. We implement rate limiting on login endpoints to prevent brute-force attacks.
Each user account is logically isolated. API requests are authenticated and scoped to the requesting user's account. Shared data (product analyses, customs rates) is read-only and contains no personal information. We follow the principle of least privilege for all internal services.
We use Stripe (PCI DSS Level 1 certified) for payment processing — we never store card numbers. AI analysis is performed via Alibaba Cloud's Qwen API over encrypted connections. Bright Data web scraping uses only publicly available supplier information.
If you discover a security vulnerability in Galcios, please report it responsibly to security@galcios.com. We ask that you give us 30 days to investigate and remediate before public disclosure. We do not pursue legal action against good-faith security researchers.
In the event of a data breach affecting personal information, we will notify affected users within 72 hours of discovery via email, as required under applicable data protection laws. We maintain an incident response plan reviewed quarterly.
Email: security@galcios.com
For urgent incidents, include "URGENT" in the subject line.