Security at Gilead Vanguard

Gilead Vanguard Technology LLC is a New York limited liability company. We take a security-by-design approach across our website, the products we deliver and the engagements we run with customers. Our internal security practices are informed by the NIST Cybersecurity Framework and the Trust Services Criteria published by the AICPA. As the business grows we expect to seek formal third-party attestations against those frameworks; until those audits are complete we do not claim certification.

This page describes the controls and commitments we operate today. If you require a more detailed security review for a procurement or due-diligence process, please contact security@gileadtechnologies.com.

Information transmitted to and from our website and any customer-facing services is protected in transit using TLS 1.2 or higher with modern cipher suites. Information stored in our managed systems is encrypted at rest using industry-standard algorithms (AES-256 or equivalent) provided by our cloud and SaaS providers.

We follow the principle of data minimisation: we collect only the personal information needed to operate, support and improve the Services, and we retain it only as long as required for those purposes or to meet legal obligations.

Access to systems that hold customer or business information is limited to personnel who need it for their role. Administrative access requires multi-factor authentication. Credentials and API keys are stored in managed secret stores rather than in source code, and we rotate them when personnel changes occur or when there is any indication of compromise.

We host our website and supporting services with reputable cloud and SaaS providers that publish their own SOC 2 or ISO/IEC 27001 reports. We rely on the security controls those providers operate at the platform layer (physical security, network isolation, hypervisor patching, hardware key management) and add application-layer controls on top.

Hardware and integrated systems delivered to customers are sourced from vetted manufacturers. Where firmware updates are required, we deliver them through the manufacturer's authenticated update channels.

Our engineering practices include the following safeguards:

• Peer review of code changes before they reach production.
• Automated dependency scanning to detect known vulnerabilities in third-party libraries.
• Use of established frameworks and platforms rather than custom-built security primitives.
• Separation of development, staging and production environments where applicable.
• Logging of administrative actions for later review.

We maintain a documented process for responding to suspected security incidents that affect customer information. A named owner is responsible for triage, containment, customer notification and post-incident review. Where an incident triggers a notification obligation under contract or applicable law, we will notify affected parties without undue delay and provide the information required by the relevant regime.

Before engaging a third party that will process information on our behalf, we review the provider's publicly available security documentation, terms of service and data-processing terms. We sign data-processing agreements where the activity involves personal information subject to GDPR, UK GDPR or comparable regimes. A current list of subprocessors used in connection with a specific engagement is available to customers on request.

All personnel are bound by confidentiality and acceptable-use obligations as a condition of employment or engagement. We provide security and privacy guidance proportionate to the role and revisit it as the business and threat landscape evolve.

We welcome reports of suspected security vulnerabilities in our website, our products or services we deliver. Please send detailed reports to security@gileadtechnologies.com, including steps to reproduce and any supporting evidence. We will acknowledge receipt within five business days, keep you informed of progress and, where appropriate, credit you in a public advisory after the issue is resolved. We will not pursue legal action against good-faith researchers who follow this policy.

Please do not test in ways that could degrade our Services or affect other customers; do not access, modify or delete data that is not your own; and give us a reasonable period to remediate before any public disclosure.

We will update this page as our security practices evolve. Material changes will be reflected in the effective date at the top of the page.

Security questions, due-diligence requests and vulnerability reports may be sent to security@gileadtechnologies.com or by post to Gilead Vanguard Technology LLC, 167 Madison Ave, Ste 205, #590, New York, NY 10016, United States.