Security at Shadow
Shadow is operated by EthosXYZ Technologies Inc. (doing business as "Shadow"), a Delaware C-Corporation headquartered in New York. Protecting our customers' data is core to how we build and operate the product. This page summarizes our security program; full policy documents are available to customers and partners on request.
Information security program
We maintain a written information security program covering people, processes, and technology. It is owned by our engineering team and reviewed at least annually. Our controls are aligned with industry frameworks including SOC 2 and ISO 27001, and with GDPR and CCPA. (We describe alignment with these frameworks, not formal certification.)
Access control and least privilege
Access to systems and customer data follows the principle of least privilege. Access is granted through role-based groups via Google Workspace single sign-on, reviewed regularly, and revoked promptly when someone leaves. Access to customer personal data is limited to the specific team members whose role requires it, and reads of production data are logged.
Data classification and encryption
We classify data by sensitivity and protect it accordingly. All data in transit is encrypted over TLS 1.2 or higher, and data at rest is encrypted with AES-256. Secrets and credentials are stored in a managed secrets manager, never in source code.
Network security and threat monitoring
Our application runs entirely in the cloud on Google Cloud Platform, with production, staging, and development isolated in separate projects. Public traffic is protected by a web application firewall and DDoS mitigation (Cloudflare and Vercel). Access to production is logged and monitored, with alerts routed to our on-call engineer.
Endpoint protection
Company endpoints run anti-malware protection and full-disk encryption, with automatic security updates and short inactivity screen-locks enforced. Devices that do not meet these requirements are blocked from accessing production systems.
Vulnerability management
We monitor security advisories for our own code, our dependencies, and our cloud providers, and we remediate on severity-based timelines. New features that handle authentication, customer data, or third-party access tokens go through a security review before release. We welcome responsible disclosure at security@shadow.co.
Incident response
We maintain an incident response plan with defined severity levels, roles, and communication channels. If a personal-data breach occurs, affected customers are notified without undue delay, consistent with applicable law (including within 72 hours where GDPR applies).
Personal data protection
We honor data-subject rights, including access, correction, deletion, portability, and objection. We maintain a current sub-processor list (available on request) and rely on Standard Contractual Clauses for cross-border transfers from the EEA and UK. Privacy questions and requests: privacy@shadow.co.
Daily security baseline
All staff use single sign-on with mandatory multi-factor authentication, strong unique passwords stored in a password manager, automatic screen-locking, and a clear-desk practice. Security expectations are confirmed at onboarding.
Contact
Security: security@shadow.co
Privacy: privacy@shadow.co
Last updated: [May 25, 2026]