Back

Security

Last updated: January 2025

At GTM OS, security is a first-principles requirement. We operate a lean front end that integrates with trusted vendors (OpenAI, Notion, Circle, Stripe, and DigitalOcean). This page explains what we do, what we don't, and who is responsible for what.

Executive summary

  • We do not host AI prompts or outputs. Those stay within your organization's ChatGPT Team/Enterprise account, managed by OpenAI.
  • Documentation and knowledge assets live in your Notion workspace, encrypted in transit and at rest.
  • Community discussions and live sessions are hosted on Circle's secure platform.
  • Payments are processed by Stripe, a PCI-DSS Level 1 certified provider. GTM OS never stores cardholder data.
  • Our website is hosted on DigitalOcean, which provides SOC 2 Type II and ISO 27001 certified infrastructure.
  • We retain only minimal data for account management and support, and purge it according to our privacy policy.
  • Security is a shared responsibility: GTM OS secures our front end, you govern your workspace/admin settings, and vendors secure their platforms.

1. System architecture and data flow

  • Front end only: GTM OS provides UI and workflow guidance. We do not store or process your AI conversation data.
  • AI operations: Prompts and outputs are processed directly in OpenAI's ChatGPT Team/Enterprise, under your organization's settings.
  • Docs and assets: Knowledge lives in your Notion workspace, under your admin controls.
  • Community interactions: Communication and sessions are hosted on Circle.
  • Payments: Stripe processes all payments. GTM OS never stores cardholder data.
  • Hosting: Our static website is served via DigitalOcean.
  • Telemetry: Minimal website logs (IP, browser, timestamp) are retained up to 90 days for reliability and security.

2. Shared responsibility model

AreaGTM OS (front end)You (customer admin)Vendors
AI prompts/outputsNot stored or processed by usManage usage, retention, accessOpenAI (no training on business data by default)
Docs/knowledgeNot stored or processed by usManage workspace config and accessNotion (encrypted in transit/at rest)
Community dataNot stored or processed by usManage profiles, groups, moderationCircle (encrypted, access controls)
PaymentsNo card data storedManage subscriptionStripe (PCI-DSS Level 1)
HostingSecure build, headers, patchingN/ADigitalOcean (SOC 2, ISO 27001)

3. Data handling and retention

  • AI content: Not ingested or stored by GTM OS.
  • Support data: Files/screenshots shared for support are deleted within 30 days of case closure.
  • Logs: Website logs are kept up to 90 days for troubleshooting and abuse detection.
  • Backups: No customer content stored, so no restore required.

4. Encryption

  • In transit: All traffic is protected by HTTPS/TLS.
  • At rest: OpenAI, Notion, Circle, Stripe, and DigitalOcean encrypt business data with AES-256.

5. Identity and access

  • GTM OS does not create user accounts.
  • Access to OpenAI, Notion, Circle, and Stripe is governed by your organization (SSO/MFA recommended).
  • GTM OS staff access to support systems follows least-privilege and secure device standards.

6. Secure development and hardening

  • Our platform has a minimal attack surface (static front end, no customer database).
  • Code is managed through version control, peer reviews, and automated checks.
  • We apply web hardening measures such as TLS 1.2+, HSTS, CSP, and least-privilege access.

7. Vendor management

We rely on a small set of vetted providers:

  • OpenAI: AI processing (ChatGPT Team/Enterprise). No training on business data by default. OpenAI security
  • Notion: Documentation and database hosting. Encrypted at rest and in transit. Notion security
  • Circle: Community platform. Encrypted at rest and in transit. Circle security
  • Stripe: Payment processing. PCI-DSS Level 1 certified. Stripe security
  • DigitalOcean: Hosting and CDN services. SOC 2 Type II and ISO 27001 certified. DigitalOcean trust center

We update this list before onboarding any new vendor that processes user data.

8. Compliance posture

  • GTM OS itself does not operate infrastructure and therefore does not hold SOC/ISO certifications.
  • We rely on our vendors' certifications and align with GDPR/CCPA principles.
  • Internally, we apply least-privilege access, logging, and secure development lifecycle practices.

9. Incident response

  • Detection: We monitor our website for anomalies.
  • Response: We isolate issues, rotate credentials, and coordinate with vendors.
  • Notification: If user data is affected, we notify impacted customers without undue delay.
  • Post-mortem: Incidents are documented with corrective actions.

10. Business continuity and disaster recovery

  • Our static website is hosted on redundant infrastructure (DigitalOcean + CDN).
  • Because GTM OS does not store customer content, we have no data restore requirements.
  • Vendors (OpenAI, Notion, Circle, Stripe, DigitalOcean) maintain their own HA/DR programs.

11. Responsible disclosure

If you believe you've discovered a vulnerability in GTM OS, please contact security@gtm-os.io. We review reports within 3 business days and encourage coordinated disclosure.

12. Customer responsibilities

  • Use ChatGPT Team/Enterprise or API accounts for work data.
  • Configure retention settings and admin policies in OpenAI.
  • Enforce SSO/MFA for OpenAI, Notion, Circle, and Stripe.
  • Avoid placing secrets (API keys, credentials) in prompts.
  • Regularly review workspace and community access settings.

13. Data subject and deletion requests

  • GTM OS does not store AI prompts, outputs, or community data.
  • Most data subject requests should be directed to OpenAI, Notion, Circle, or Stripe.
  • For the limited data we hold (support artifacts, logs), requests can be made to privacy@gtm-os.io.

14. Contact us

For any security or privacy questions, please contact us:

Email: security@gtm-os.io or privacy@gtm-os.io

Website: gtm-os.io