Security and disclosure
CitationGraph focuses on server-side collection, explicit runtime controls, and auditable telemetry surfaces.
Security posture
Product deployments emphasize server-side runtime control, low client footprint, and traceable evidence around bot and agent traffic.
Encryption
All data in transit between clients and CitationGraph services is encrypted using TLS 1.2 or higher. Data at rest in the hosted product is encrypted using Google Cloud default encryption (AES-256). API tokens and OAuth refresh tokens are stored in encrypted form and are never exposed in client-side code or logs.
Access control
Access to customer data within the hosted product is limited to authorized personnel who require it for operational support. All administrative access is logged and auditable. CitationGraph enforces role-based access control within its internal systems.
Responsible disclosure
If you discover a security vulnerability, please report it to security@gravity.dev. We will acknowledge your report within 48 hours and aim to provide an initial assessment within 5 business days. Please do not post sensitive details publicly before we have had a reasonable opportunity to investigate and respond. We do not currently operate a formal bug bounty program, but we value and recognize responsible disclosure.
Compliance roadmap
CitationGraph is building toward formal compliance certifications. Current focus areas include SOC 2 Type II readiness and alignment with applicable data protection regulations. If you need specific security documentation for procurement review, contact analytics@gravity.dev.
Common questions
How should I report a security issue?
Use the direct contact channel on this page instead of posting sensitive details publicly. The team uses that path for responsible disclosure.
What security posture does CitationGraph emphasize?
The public guidance emphasizes server-side collection, explicit runtime control, a low client footprint, and auditable evidence around bot and agent traffic.