Guspora™
Security
Last Updated: May 6, 2026
Guspora is being built toward SOC 2 and HIPAA Business Associate expectations for contractors, building owners, fire departments, and other compliance-heavy customers. This page states the current posture without claiming certifications or audit results that do not exist yet.
What we have today
These controls are in place now and can be reviewed during security due diligence.
AWS production infrastructure
The Guspora production application runs on AWS ECS Fargate with Amazon RDS PostgreSQL for the system of record, Amazon S3 for uploaded documents and media, Route 53 for DNS, and CodePipeline/CodeBuild/ECR for deployments.
Encryption for records and files
RDS PostgreSQL and S3 storage use AWS-managed encryption at rest, including AES-256/SSE-S3 controls documented in the security assessment. Application traffic and service-provider connections use TLS 1.2 or higher.
Tenant isolation
Tenant-owned service-provider and customer records are scoped by tenant_id. Server-side code derives tenant scope from authenticated sessions and uses parameterized PostgreSQL queries.
Role-based access
Guspora separates provider, customer, AHJ, and platform administration workflows with role-based access controls. Customer and third-party portal access is scoped to assigned buildings or transaction records.
Audit logging
Commercial, security, admin, inspection, payment, and agent actions write audit records with actor, target record, timestamp, status, and metadata. Exception Inbox and approval queues track blocked or deferred agent actions.
Incident response procedures
The incident response playbook defines P0 through P3 severity levels, response targets, escalation paths, containment steps, evidence preservation, recovery, and post-incident review.
Authentication and session safeguards
The platform uses signed secure cookies, CSRF tokens on mutation endpoints, account lockout checks, magic-link flows for supported portals, bcrypt password hashing where passwords are used, and MFA support.
Security program documentation
The security risk register, key-rotation policy, vulnerability scanning notes, HIPAA security risk assessment, and incident response playbook are maintained in the security documentation set.
What's underway
These items are in progress or planned. They are not represented as complete.
SOC 2 preparation
Guspora is preparing for SOC 2 Type 1 readiness work and later Type 2 evidence collection. No SOC 2 audit has been completed, and no SOC 2 report is available today.
HIPAA Business Associate readiness
Guspora is building toward Business Associate operations for healthcare and fire-department workflows that involve protected health information. Customer BAA execution is handled only where the customer relationship requires it.
Subprocessor BAA work
Subcontractor BAA review and execution is in progress for AWS, Anthropic, Postmark, and Twilio. We do not describe those BAA executions as complete until the paperwork is finished.
Penetration testing and hardening
Burp Suite-based testing is part of the SOC 2 preparation track. WAF and DDoS controls, key-rotation automation, security alerting, retention automation, and disaster-recovery tests remain active hardening items.
What we don't claim
- Guspora is not currently SOC 2 certified. The audit is pending.
- Guspora is not a HIPAA covered entity. For healthcare workflows, Guspora serves or intends to serve as a Business Associate under a signed BAA.
- Guspora is not HITRUST certified.
- Guspora is not a PCI Level 1 service provider. Payment processing is handled by Stripe; Stripe is PCI Level 1, and Guspora is intended to remain in SAQ-A scope by not storing raw card numbers.
- Guspora does not claim FedRAMP authorization.
Responsible disclosure
Report suspected vulnerabilities to security@guspora.com. Include the affected URL, reproduction steps, and any relevant logs or screenshots. We will review good-faith reports and respond with remediation status where appropriate.