Security

All data is encrypted in transit (TLS 1.2+) and at rest. Target credentials get an additional layer: each credential is envelope-encrypted with a data key sealed by a per-organization AWS KMS customer-managed key, and the unwrapped key is only available to the scan worker that needs it — the platform API role cannot decrypt them. Revoked credentials are deleted within 5 minutes; the wrapped key is discarded, making the credential cryptographically unrecoverable.

The Gated platform and scan workers run inside AWS VPCs on private subnets. Workers have no public ingress. Outbound access for scanning is scoped to the targets you authorize.

For MCP servers that are not reachable from the public internet, scanning runs through gated-cli, which you run inside your own network. The CLI forwards MCP protocol traffic between our worker and your target for a single authorized scan. In that mode, the target never has to be exposed to the public internet, and we never hold credentials to your internal systems.

Authentication and organization management run on Clerk. Within an organization, members have Owner, Admin, or Member roles. Data access is enforced per organization at the application and key layers — queries that touch tenant data filter by organization, and KMS grants are scoped to a single tenant.

Running a scan produces results, findings, and operational logs. We process this data to deliver the product to you, to operate and secure the service, and to improve Gated’s checks, detection accuracy, and remediation guidance over time. This data is encrypted and access-controlled as described above.

We do not sell your data, and we do not share identifiable scan data with third parties except subprocessors that help us run the service, under contract. See the Privacy Policy for details.

We only scan targets you are authorized to scan. Running a scan is an attestation that you have the right to test the target. See the Authorization Policy.

Found a security issue in Gated itself? Email security@gated.cc. We’ll acknowledge within 2 business days. We don’t currently run a paid bounty, but we credit reporters who want it.