1. Our Security Commitment
Guiza Media LLC recognizes that security is fundamental to maintaining the trust of our clients and partners. We are committed to protecting the confidentiality, integrity, and availability of all data entrusted to us through comprehensive security measures, continuous improvement, and transparency.
Security Principles
- Defense in Depth: Multiple layers of security controls throughout our infrastructure
- Least Privilege: Users and systems have only the minimum access necessary
- Continuous Improvement: Regular security assessments and updates to our practices
- Transparency: Open communication about our security posture and any incidents
- Privacy by Design: Security and privacy considerations built into our processes from the start
Security Governance
Our security program is overseen by company leadership and includes: regular security training for all team members, documented security policies and procedures, periodic security audits and assessments, and incident response planning and testing.
2. Infrastructure Security
2.1 Cloud Infrastructure
Our infrastructure is hosted on industry-leading cloud platforms that maintain robust security certifications:
| Provider | Service | Security Certifications |
|---|---|---|
| Vercel | Web Hosting & Edge Network | SOC 2 Type II, ISO 27001 |
| AWS | Cloud Infrastructure | SOC 2, ISO 27001, PCI DSS |
2.2 Network Security
Our network security measures include:
- Encryption in Transit: All data transmitted between users and our services uses TLS 1.3 encryption
- DDoS Protection: Automated protection against distributed denial-of-service attacks
- Web Application Firewall (WAF): Protection against common web vulnerabilities
- Network Segmentation: Isolation of critical systems and data
- Intrusion Detection/Prevention: Continuous monitoring for suspicious network activity
2.3 Physical Security
As a fully remote company with cloud-based infrastructure, we rely on our service providers' physical security controls, which include: 24/7/365 on-site security personnel, biometric access controls, video surveillance, environmental controls (fire suppression, climate control), and regular security audits.
3. Data Protection
3.1 Data Classification
We classify data based on sensitivity and apply appropriate protection measures:
| Classification | Description | Examples |
|---|---|---|
| Confidential | Highly sensitive data requiring maximum protection | Client login credentials, payment information, proprietary business data |
| Internal | Business data for internal use only | Client contact information, project details, analytics data |
| Public | Information intended for public disclosure | Marketing content, published case studies, public website content |
3.2 Encryption
We employ encryption to protect data:
- Data in Transit: All communications use TLS 1.3 with strong cipher suites
- Data at Rest: Sensitive data is encrypted using AES-256 encryption
- Key Management: Encryption keys are managed securely with regular rotation
3.3 Data Retention and Disposal
We retain data only as long as necessary and dispose of it securely: data retention periods are defined in our Privacy Policy; when data is no longer needed, it is securely deleted or anonymized; secure deletion methods ensure data cannot be recovered.
3.4 Backups
We maintain regular backups to ensure data availability: automated daily backups of critical data, backup encryption using industry-standard algorithms, regular backup restoration testing, and geographic redundancy for disaster recovery.
4. Access Control
4.1 Authentication
We implement strong authentication mechanisms:
- Password Requirements: Strong password policies requiring minimum complexity
- Multi-Factor Authentication (MFA): Required for all administrative and sensitive system access
- Single Sign-On (SSO): Where available, to reduce password fatigue
- Session Management: Automatic session timeout after periods of inactivity
4.2 Authorization
Access to systems and data is governed by:
- Role-Based Access Control (RBAC): Access based on job responsibilities
- Principle of Least Privilege: Minimum necessary access for each role
- Regular Access Reviews: Periodic review and validation of user access rights
- Immediate Revocation: Prompt removal of access upon role change or termination
4.3 Account Security
For client accounts and integrations: secure credential storage using industry-standard hashing, no storage of passwords in plain text, secure API key management, and regular rotation of service account credentials.
5. Application Security
5.1 Secure Development
Security is integrated throughout our development lifecycle:
- Security Requirements: Security considerations included in planning
- Code Reviews: Peer review process to identify security issues
- Static Analysis: Automated security scanning of code
- Dependency Management: Regular updates and vulnerability scanning of third-party components
5.2 Security Testing
We conduct various security assessments: penetration testing by regular third-party security assessments, vulnerability scanning through automated scanning for known vulnerabilities, and security audits through periodic comprehensive security reviews.
5.3 Common Vulnerability Protections
Our applications are protected against common security vulnerabilities: SQL Injection prevention through parameterized queries, Cross-Site Scripting (XSS) protection through output encoding, Cross-Site Request Forgery (CSRF) protection through tokens, Clickjacking protection through frame options, and Content Security Policy (CSP) implementation.
6. Monitoring and Incident Response
6.1 Security Monitoring
We maintain continuous security monitoring: 24/7 infrastructure monitoring and alerting, log aggregation and analysis, anomaly detection for suspicious activity, and regular security metric review.
6.2 Incident Response
We have established incident response procedures:
| Phase | Activities |
|---|---|
| Detection | Identify and confirm security incidents through monitoring and reports |
| Containment | Limit the scope and impact of the incident |
| Eradication | Remove the cause of the incident |
| Recovery | Restore affected systems and data |
| Lessons Learned | Document findings and improve processes |
6.3 Breach Notification
In the event of a security breach affecting personal data: we will notify affected individuals without undue delay, regulatory authorities will be notified as required by law (within 72 hours for GDPR), and notification will include details of the breach, affected data, and remediation steps. See our Privacy Policy for more details on breach notification procedures.
7. Compliance and Certifications
7.1 Regulatory Compliance
We maintain compliance with applicable security and privacy regulations: GDPR (European Union General Data Protection Regulation), CCPA/CPRA (California Consumer Privacy Act and Privacy Rights Act), and Industry Standards (following security best practices and frameworks).
7.2 Security Frameworks
Our security program aligns with established frameworks: NIST Cybersecurity Framework, ISO 27001 principles (working toward certification), and CIS Controls.
7.3 Certifications
Our infrastructure providers maintain current security certifications including: SOC 2 Type II, ISO 27001, and PCI DSS (for payment processing).
8. Third-Party Security
8.1 Vendor Assessment
We evaluate the security practices of all third-party service providers: security questionnaire and assessment before engagement, review of security certifications and compliance, security requirements in vendor contracts, and periodic re-assessment of vendor security.
8.2 Data Processing Agreements
We have appropriate agreements in place with data processors: Data Processing Agreements (DPAs) for GDPR compliance, Business Associate Agreements (BAAs) where required, and clear definition of security responsibilities.
8.3 Sub-Processors
Our primary sub-processors include: Vercel (web hosting), AWS (cloud infrastructure), Stripe (payment processing), and Google Analytics (analytics). A complete list of sub-processors is available upon request.
9. Reporting Security Issues
We encourage responsible disclosure of security vulnerabilities. If you believe you have discovered a security issue in our systems, please report it to us immediately.
How to Report
Email: info@guizamedia.com (Subject: Security Issue)
Please Include:
Description of the vulnerability, steps to reproduce the issue, potential impact, suggested remediation (if any), and your contact information for follow-up.
Our Commitment
- We will acknowledge receipt of your report within 48 hours
- We will investigate all legitimate reports and take appropriate action
- We will not take legal action against security researchers who follow responsible disclosure practices
- We will recognize contributors who help improve our security (with permission)
Responsible Disclosure Guidelines
When reporting security issues, please: provide us reasonable time to address the issue before public disclosure, do not access, modify, or delete data that does not belong to you, do not perform actions that could degrade our services, and do not share the vulnerability with others until it has been resolved.
10. Contact Information
For security-related inquiries or to report security concerns, please contact us:
Attn: Security Team
1209 Mountain Road Pl NE Ste N
Albuquerque, NM 87110
United States
Email: info@guizamedia.com
Website: https://guizamedia.com
For urgent security matters, please include "URGENT: Security" in the subject line.
Additional Resources
- Privacy Policy - Information about data protection
- GDPR Compliance - EU data protection rights
- Terms of Service - Legal terms of use