Security Disclosure

This page describes how Nyvion LLC (“GMC Medic,” “we,” “us,” or “our”) secures the GMC Medic platform and the data you trust us with. We've written this document to be specific rather than generic, because vague security claims are worth less than nothing.

If you find a vulnerability, please see Section 10 — Responsible Disclosure.

GMC Medic is hosted on Vercel for application compute and on Supabase for database and authentication. Both providers operate under SOC 2 controls and provide infrastructure-level isolation, DDoS mitigation, and managed networking.

• •Vercel — handles HTTPS termination, edge networking, serverless function execution, and DDoS protection. Vercel is SOC 2 Type 2 certified and ISO 27001 certified. (Vercel Security)
• •Supabase — hosts our PostgreSQL database and runs our authentication layer. Supabase is SOC 2 Type 2 certified. (Supabase Security)
• •Inngest — orchestrates background scan jobs. (Inngest Security)

All infrastructure is operated in the United States.

2.1 In Transit

• •All traffic to and from GMC Medic is encrypted using TLS 1.2 or higher.
• •HTTP requests are redirected to HTTPS.
• •TLS certificates are managed by Vercel and rotated automatically.

2.2 At Rest

• •Database storage is encrypted at rest using AES-256, managed by Supabase.
• •API keys, OAuth tokens, and secrets are stored as encrypted environment variables in our hosting provider. They are never committed to source control.

3.1 Customer-Facing Access

• •All account access requires authentication through our authentication provider, Supabase.
• •We support OAuth-based sign-in via Google and Shopify, in addition to email-based sign-in.
• •Sessions use secure, HTTP-only cookies with rotating refresh tokens.

3.2 Row-Level Security

• •Our database enforces row-level security (RLS) policies that scope every query to the authenticated account.
• •An account can read or write only its own data. RLS is enforced at the database layer, not just the application layer — so a misbehaving query cannot bypass it.

3.3 Administrative Access

• •Administrative access is granted on a least-privilege basis and limited to personnel who require it for operations or support.
• •Multi-factor authentication is required for all administrative access.
• •Access is reviewed quarterly and revoked immediately upon role change or departure.

3.4 Third-Party API Access

• •Tokens for Google and Shopify are stored with restricted scopes — we request only the minimum permissions necessary to provide the Service.
• •You may revoke our access to your Google or Shopify account at any time through those platforms’ connected-apps settings.

4.1 What We Collect

Only the data needed to provide the Service. See our Privacy Policy for the full breakdown.

4.2 Data Minimization

• •We do not capture or persist data from authenticated areas of your storefront.
• •We do not record full Shopify product images — we read metadata and URLs only.
• •We do not log request bodies or response bodies that contain Personal Data, except where necessary for security incident investigation.
• •Logs that do contain Personal Data are retained for 30 days and access is restricted.

4.3 Retention

• •Customer-facing data is retained while the account is active and for 30 days after account closure, except where legal retention obligations apply (e.g., 7 years for billing records). Scan history is retained for up to 12 months — see our Privacy Policy for the full retention schedule.
• •See our Privacy Policy for the full retention schedule.

4.4 Deletion

• •Account deletion initiates removal of stored Personal Data within 30 days.
• •OAuth tokens are revoked at our end and remain revocable at your end through Google and Shopify settings at any time.

GMC Medic uses Anthropic's Claude models (Claude Sonnet and Claude Haiku) to analyze store content for compliance signals. Specifically:

• •What we send to Anthropic: product titles, descriptions, scraped policy page excerpts, About and Contact page text, and business profile fields.
• •What we do not send: Shopify access tokens, payment information, account credentials, or any data not necessary for compliance analysis.
• •No training on customer data: Under our commercial agreement with Anthropic, customer data submitted to the API is not used to train Anthropic's models.

For a full list of sub-processors and the data each handles, see our Sub-processor List.

• •No direct database access from the public internet. All database queries are routed through application servers.
• •Inbound traffic is filtered at the edge by Vercel’s WAF and DDoS protection.
• •Outbound traffic from our application servers is limited to the documented sub-processor endpoints required to provide the Service.

• •The database is backed up daily by Supabase.
• •Backup retention and recovery options are consistent with our database provider's plan and configuration.
• •Backup data is encrypted at rest and access is restricted to operational personnel.

We maintain a documented incident response process. In the event of a security incident:

1. The incident is triaged and contained.
2. The scope of impacted data and accounts is determined.
3. If a Personal Data Breach occurred, affected customers are notified without undue delay and in any event within 72 hours of our becoming aware of the breach, in accordance with GDPR Article 33 and our Data Processing Agreement.
4. The relevant supervisory authority is notified where required by law.
5. A post-incident review is conducted to identify root causes and prevent recurrence.

If you believe your account has been compromised or you have experienced a security incident related to GMC Medic, email support@getgmcmedic.com with “Security Incident” in the subject.

9.1 Current State

• •GMC Medic is built on infrastructure providers that maintain industry-standard security attestations (Vercel and Supabase are SOC 2 Type 2 attested; Stripe is SOC 2 Type 2 attested and PCI DSS Level 1 certified). Anthropic publishes its own security and compliance documentation at trust.anthropic.com.
• •We comply with the EU GDPR and UK GDPR, including the requirements applicable to data processors.
• •We comply with the California Consumer Privacy Act (“CCPA”) as amended by the CPRA, and similar US state privacy laws.

9.2 Roadmap

• •We are pursuing our own SOC 2 Type 2 examination as we scale beyond initial launch. Customers seeking documentation in advance of certification may request our current security questionnaire by emailing support@getgmcmedic.com.

If you discover a security vulnerability in GMC Medic, we want to hear about it.

Email: support@getgmcmedic.com with “Security — Responsible Disclosure” in the subject.

Please include:

• •A description of the vulnerability.
• •Steps to reproduce.
• •The impact, in your assessment.
• •Any proof-of-concept code (if applicable).

We commit to:

• •Acknowledging your report within 2 business days.
• •Investigating and providing a status update within 10 business days.
• •Not pursuing legal action against researchers who act in good faith, do not access more data than necessary to demonstrate the issue, and do not publicly disclose before we have had a reasonable opportunity to remediate.

We do not currently offer a paid bug bounty, but we recognize meaningful disclosures publicly (with the reporter's consent) and provide hall-of-fame credit.

Security is a shared responsibility. You can help protect your account by:

• •Using a strong, unique password for your GMC Medic account (or signing in via Google / Shopify OAuth).
• •Enabling multi-factor authentication on your Google and Shopify accounts.
• •Reviewing OAuth-authorized applications on Google and Shopify periodically and revoking any you no longer use.
• •Notifying us immediately if you suspect unauthorized access.

Email: support@getgmcmedic.com
Mailing address: Nyvion LLC, 2150 Renault Dr, Saint Louis, MO 63146