Security

Security is foundational to everything we do

We take the protection of our systems, data, and portfolio companies seriously. Security isn't an afterthought—it's built into how we operate.

Our Security Practices

Infrastructure Security

All systems use encryption at rest and in transit. We leverage cloud infrastructure with SOC 2 Type II compliance and implement defense-in-depth architecture.

Access Control

We enforce least-privilege access, require multi-factor authentication for all systems, and conduct regular access reviews. SSO is mandatory for internal tools.

Policies & Training

All team members complete security awareness training. We maintain documented security policies and conduct regular tabletop exercises for incident response.

Third-Party Assessments

We engage third-party security firms for annual penetration testing and vulnerability assessments. Findings are remediated promptly.

Portfolio Security Baseline

Every GASJ portfolio company commits to our security baseline within 12 months of investment. This creates a foundation of security hygiene across our portfolio.

Single sign-on for all internal systems
Automated vulnerability scanning in CI/CD
Encrypted data at rest and in transit
Documented incident response plan
Annual third-party penetration test
Security awareness training for all employees
Secrets management (no hardcoded credentials)
Audit logging for critical systems

Responsible Disclosure

We appreciate the security research community and welcome responsible disclosure of any vulnerabilities you may discover. If you believe you've found a security issue in any GASJ Holdings system or website, please let us know.

Disclosure Guidelines

  • • Provide detailed information about the vulnerability, including steps to reproduce
  • • Give us reasonable time to investigate and address the issue before public disclosure
  • • Do not access, modify, or delete data belonging to others
  • • Do not perform denial of service attacks or social engineering
  • • Only test against systems you own or have permission to test

What We Commit To

  • • Acknowledge your report within 48 hours
  • • Provide an initial assessment within 5 business days
  • • Keep you informed of our progress
  • • Not take legal action against good-faith researchers
  • • Credit you in any public disclosure (if you wish)

Report security vulnerabilities to:

security@gasjholdings.com

For encrypted communication, request our PGP key.

Security-focused investment partner

Learn how we help portfolio companies build security into their products and operations.

Read Our InsightsContact Us