Security Built Into the Architecture
Not a feature we added later.
Gottlieb is designed for engineering organizations where IP protection is a legal and competitive obligation. Every architectural decision reflects that.
Our Approach
We tell you exactly what we have and what we don't. We won't claim certifications we haven't earned or audits we haven't completed.
Your Data Stays in Your Region
EU customers are on Azure Germany West Central. US customers are on GCP or AWS US-East. Production data cannot leave its approved region — enforced by infrastructure policy, not configuration.
We Never Train on Your Data
Your code and documents are never used to train AI models. Models are accessed via API — we have no pathway to contribute your data to training pipelines.
Every Request Is Verified
Authentication, schema validation, and ownership checks run server-side before any data is accessed. Tenant identity is resolved from verified tokens — clients cannot spoof it.
Deletion Is a Real Operation
When a user is deleted, their sessions, files, documents, and preferences are removed across every layer. Audit records are anonymized, not deleted — event history preserved, identity removed.
What We Do and Don't Do
We do
- Store data in region-locked, encrypted infrastructure
- Let you export all files and documents at any time
- Log every security-relevant action for compliance review
- Cascade-delete all data on request — idempotent and complete
We don't
- Train models on your proprietary code or documents
- Route EU data through non-EU infrastructure
- Share data with third parties for marketing or analytics
- Access your data without a documented, audited reason
Common Questions
No. The models we use (Azure OpenAI, Anthropic Claude, Vertex AI) are accessed via API. We have no ability to contribute your data to model training pipelines.
In the region you choose at onboarding. EU customers are on Azure Germany West Central. US customers are on GCP or AWS US-East. Data does not cross regions.
Yes. Microsoft Entra ID (Azure AD) is supported in production today. Okta and other SAML/OIDC providers are available via SCIM 2.0.
Yes. We welcome technical deep-dives, answer security questionnaires, and can arrange calls with our engineering team for enterprise evaluations.
Have a Questions or Want a Deep-Dive?
We'll walk you through the architecture, answer questions from your security team, and share whatever documentation you need.