INFORMATION SECURITY POLICY

Gorilla Public

gorillapublic.com

Effective Date	March 2, 2026
Version	1.0
Review Cycle	Annually or upon material change
Contact	privacy@gorillapublic.com

1. Purpose

This Information Security Policy (“Policy”) establishes the principles, standards, and controls that Gorilla Public (“Company,” “we,” or “us”) employs to protect the confidentiality, integrity, and availability of information assets — including data collected through external services, social media and mobile app platform integrations and any applications developed under an external Partner Program. This Policy applies to all employees, contractors, and third-party service providers who access Company systems or data.

2. Scope

This Policy applies to:

• All information systems, networks, and applications owned or operated by Gorilla Public
• All data processed, stored, or transmitted on behalf of Gorilla Public clients
• Data received from or shared with partners and their APIs.
• All personnel and third parties with access to Company information assets

3. Data Classification

All data handled by Gorilla Public is classified into the following tiers:

Classification	Description	Examples
Confidential	Highly sensitive; restricted access	API keys, credentials, PII, payment data
Internal	Operational use only	System logs, internal docs, client configs
Public	Approved for public release	Marketing copy, published blog content

4. Access Control

4.1 Principle of Least Privilege

Access to information systems and data is granted on a need-to-know basis. Users are provided the minimum level of access required to perform their job functions.

4.2 Authentication

• Multi-factor authentication (MFA) is required for all systems containing Confidential or Internal data
• Strong passwords (minimum 12 characters, mixed case, numbers, and symbols) are enforced
• Shared credentials are prohibited; each user must have a unique account

4.3 Third-Party API Access

• API credentials and OAuth tokens are stored securely using environment variables or secrets management tools and are never hardcoded in source code
• API access tokens are rotated regularly or immediately upon suspected compromise
• Access permissions requested from APIs are scoped to the minimum required for application functionality

5. Data Handling and Privacy

5.1 User Data

Data obtained through the API or Partner Program integrations is subject to the following controls:

• User data is collected only for the specific purpose disclosed at the point of collection
• Data is not sold, rented, or shared with unauthorized third parties
• Data is retained only for the period necessary to fulfill its stated purpose and is then securely deleted
• Users are provided clear disclosure of what data is collected and how it is used

5.2 Applicable Privacy Laws

Gorilla Public complies with applicable privacy regulations including, but not limited to, the California Consumer Privacy Act (CCPA) and, where applicable, the General Data Protection Regulation (GDPR). Users may request access to, correction of, or deletion of their personal data by contacting privacy@gorillapublic.com.

6. Network and Infrastructure Security

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256 or equivalent standards where technically feasible
• Production environments are logically separated from development and staging environments
• Firewalls and network segmentation are employed to restrict unauthorized inbound and outbound traffic
• Hosting providers and cloud services are evaluated for SOC 2 Type II compliance or equivalent security certifications

7. Application Security

7.1 Secure Development Practices

• Code is reviewed for security vulnerabilities prior to deployment to production
• Dependencies and third-party libraries are kept up to date and monitored for known vulnerabilities
• Input validation and output encoding are implemented to prevent injection attacks (SQL injection, XSS, etc.)
• OAuth 2.0 flows are implemented in accordance with developer documentation and industry best practices

7.2 Vulnerability Management

• Security patches are applied within 30 days of availability for critical systems; critical/high vulnerabilities are prioritized within 7 days
• Applications are reviewed for OWASP Top 10 vulnerabilities on a periodic basis

8. Incident Response

In the event of a suspected or confirmed security incident involving Company systems or Partner-related data:

• The incident is documented, including the nature of the breach, data affected, and timeline
• Affected systems are isolated to prevent further compromise
• Affected users and, where required by law, regulatory bodies are notified within the timeframe required by applicable regulations (not to exceed 72 hours for GDPR-regulated data)
• Partner is notified of any incident involving its platform data in accordance with Partner Program obligations
• A post-incident review is conducted to identify root causes and implement corrective controls

To report a security incident or vulnerability, contact: security@gorillapublic.com

9. Employee and Contractor Responsibilities

• All personnel with access to Company systems must read and acknowledge this Policy
• Personnel must immediately report suspected security incidents or policy violations
• Personnel must not circumvent security controls or share credentials
• Contractor access is reviewed upon engagement and revoked upon project completion
• Remote access to Company systems must be conducted over a secure, encrypted connection

10. Physical Security

As a remote-first business, Gorilla Public does not operate a traditional office data center. The following controls apply to all work environments:

• Company devices must use full-disk encryption (e.g., FileVault, BitLocker)
• Screens must be locked when devices are unattended in public or shared spaces
• Physical media containing Confidential data must be securely destroyed when no longer needed

11. Third-Party Vendor Management

Gorilla Public evaluates third-party vendors and service providers for their security posture before engaging them to process Confidential data. Vendors handling sensitive data are required to maintain security standards consistent with this Policy and, where applicable, to execute data processing agreements (DPAs).

12. Policy Review and Enforcement

This Policy is reviewed at least annually or following any significant change to Company operations, technology stack, or applicable regulations. Violations of this Policy may result in disciplinary action up to and including termination of employment or contract, and, where applicable, civil or criminal liability.

Policy Owner: Blake, Gorilla Public

Contact: privacy@gorillapublic.com

13. Acknowledgment

By accessing Gorilla Public systems or data, all personnel agree to comply with the terms of this Information Security Policy.