Security & compliance — built in from day one

Security you can hand to your compliance team.

Your credentials never touch the model. Every sensitive action waits for your approval. And your data never trains a model — not ours, not anyone’s.

SOC 2GDPRCCPACASA Tier 2

You’re in control.

01

You approve every action

Giga never moves money, sends an external email, or pushes code without your explicit sign-off in Slack.

02

Disconnect at any time

Pause a user, kill a running task, or revoke any integration in one click — no support ticket required.

03

Connect only what you need

Admins decide which tools Giga can reach, who can use them, and at what scope.

Compliance

Independently audited. Continuously verified.

The audit reports are real, the controls are monitored, and the next audit is always on the calendar.

SOC
SOC 2 Type 1
Certified

Independent attestation that our security controls operate as designed. Type II in progress.

Report available under NDA.

GDPR
GDPR
Aligned

EU data-protection requirements met across processing and storage.

DPA available on request.

CCPA
CCPA
Compliant

California Consumer Privacy Act requirements met.

Privacy documentation available.

CASA
CASA Tier 2
Certified

Cloud Application Security Assessment — required tier for sensitive Google API access.

Attestation included in compliance pack.

SLACK
Slack App Directory
Listed

OAuth scopes and security posture vetted by Slack before shipment through the store.

Public App Directory listing.

ISO
ISO 27001
In progress

ISMS controls implementation and evidence collection underway.

Controls overview today; evidence after certification.

Data handling

What Giga does. What Giga does not.

Exactly what Giga touches — and what it never does.

Does

Encrypts everything

TLS 1.2+ in transit. AES-256 at rest. Secrets held in dedicated, access-logged vaults.

Authenticates with SSO

SAML SSO across Okta, Entra ID, Google Workspace, OneLogin, and any SAML 2.0 IdP.

Offers data residency

US-hosted by default. EU data residency available on Enterprise contracts.

Revokes instantly

Admins can disconnect any integration, pause any user, or kill a running task in one click.

Does not

Train on your data

Your conversations and files never enter a training set — not ours, not our model providers’.

Read your secrets

API keys and tokens are injected at execution time by the tool gateway. The model never sees them.

Act without approval

Money moves, code pushes, and customer emails wait for your explicit approval in Slack.

Share across workspaces

Skills, integrations, and memory are walled off per workspace. No cross-tenant access.

AI safety

AI brings new risks. We built for them.

An AI coworker introduces attack surfaces traditional SaaS doesn’t. Three controls keep that surface small.

Prompt-injection defense

Untrusted content is rendered as data, not commands. High-risk tools sit behind human approval — an injection still can’t move money or push code.

Named providers, no-training contracts

Inference runs on OpenAI, Anthropic, and Google. Each is on our public sub-processor list with a no-training agreement for Giga traffic.

Workspace isolation

Every workspace runs in a sandboxed execution environment. Skills, integrations, and memory are scoped to one tenant — what happens in your Slack stays in your Slack.

Giga’s data & engineering principles.

01

Store only what we need

We keep the logs and session data required to make Giga work well — and nothing more. No silent data hoarding.

02

We don’t train a model

Some agent companies quietly use your data to train. We don’t. We provide a service and ask you to pay for it.

03

Your data is encapsulated

Your data and another customer’s data can never touch. Tenants are isolated, and your keys are stored securely, never exposed to the model.

Questions for your security review?

Request our compliance pack, a DPA, or a deep-dive with our team. We’ll get your procurement unblocked fast.

Talk to our team