Skip to main content

Security

Last reviewed: 19 April 2026

Gamyata is built to be safely run by accessibility, compliance, and development teams in regulated environments. This page summarises our defence-in-depth controls and our vulnerability-disclosure policy, and provides the reporting channel for security researchers.

Report a vulnerabilityEmail security@gamyata.com
Acknowledge ≤ 72h
Critical fix ≤ 7d
Coordinated disclosure
Safe harbour

Defence-in-Depth Controls

  • Encryption in transit. TLS 1.2+ for all external traffic; HSTS on customer-facing endpoints; HTTP/2 + SNI.
  • Encryption at rest. AES-256 for object storage and managed databases; AWS KMS-managed keys; per-tenant key separation roadmapped post-GA.
  • Identity & access. SSO via Logto; role-based authorisation; MFA enforced for administrators; just-in-time access for production with audit log.
  • Network isolation. VPC isolation; no public database endpoints; WAF on customer-facing surfaces.
  • SSRF defence. URL ingestion validates against a deny-list (loopback, link-local, RFC1918, metadata endpoints) and blocks redirect-follow + DNS rebinding.
  • Logging & PII scrubbing. Centralised structured logs in VictoriaLogs; Sentry events scrubbed at ingest before any third-party transmission.
  • Vulnerability management. Dependabot + container image scans on every build; quarterly third-party penetration tests planned post-GA; critical CVEs patched within 7 days.
  • Personnel. Confidentiality agreements; least-privilege access; background screening for production-access roles; annual security training.

Sub-Processors

Gamyata engages a small set of audited sub-processors. The current list is at /dpa; minimum 30 days' notice before adding or replacing any of them.

Vulnerability Disclosure

We follow coordinated disclosure and offer safe harbour to good-faith researchers. Our policy covers supported versions, response SLA, scope in & out, and reporting channels. To report a vulnerability, email security@gamyata.com and we will acknowledge within 72 hours.

Reporting checklist

  • A description of the issue and its real-world impact.
  • Steps to reproduce or a proof-of-concept (HTTP request, payload).
  • The Gamyata URL, environment, and build identifier you tested.
  • Your preferred contact and whether you want public credit.

Response SLA

  • Acknowledgement within 72 hours.
  • Triage + severity classification within 5 business days.
  • Fix or mitigation plan scoped within 15 business days; critical CVEs patched within 7 days.

Out of scope

  • The /shield overlay-demo surface, an intentionally broken sandbox for accessibility demos.
  • Volumetric DoS testing against production. Bypass reports welcome; please don't stress production.
  • Findings on third-party sub-processors: please contact the vendor directly; we'll liaise where useful.

Transparency

We will publish a Government Access Requests transparency note as part of post-GA reporting. The DPA Annex A lists our supplementary Schrems II measures for transferred data.