Skip to content
GetPrice

SECURITY

Security at GetPrice

Last updated: 16 May 2026

Security is foundational to how GetPrice operates. This page describes the controls we currently rely on, written to give Customers an accurate picture rather than a marketing one, including what we have not yet built.

For the full commercial and legal commitments, see our Privacy Policy and Terms of Service. Paying customers also receive a Master Service Level Agreement which incorporates the breach-notification and data-handling clauses by reference.

1. Hosting and Data Residency

GetPrice is hosted on Google Cloud Platform. Customer data is stored primarily in the africa-south1 region (Johannesburg, South Africa). Primary database storage is region-locked.

Specific cross-border flows (for example, marketing-site leads to HubSpot, transactional email delivery) are listed and explained on our Subprocessors page.

2. Encryption

  • In transit: TLS 1.2 or higher for all access to the Service and between internal services.
  • At rest: AES-256 encryption (managed by Google Cloud) for the Cloud SQL database, Cloud Storage objects (including product images), and GCP-managed backups.
  • Secrets: service credentials and API keys are stored in Google Secret Manager and mounted into production services at runtime.

3. Access and Audit

  • Administrative access to production infrastructure is restricted to a small number of authorised individuals on a need-to-know basis.
  • Role-based access controls in the platform itself are being progressively enforced as the team grows.
  • Passwords are hashed using bcrypt; we do not store credentials in plaintext.
  • Session tokens (JWTs) are issued with a short expiry and held in httpOnly cookies, never exposed to browser JavaScript.

Database schema changes and external service calls are recorded in audit tables. We are progressively extending audit coverage to include read access to personal information.

4. Backups

GetPrice relies on the default automated backup schedule provided by Google Cloud SQL for the production database. We do not currently commit a specific recovery time objective (RTO) or recovery point objective (RPO), and restore-from-backup testing has not yet been performed. A formal disaster-recovery commitment will be introduced in a future revision of our Master Service Level Agreement.

5. Incident Response

GetPrice maintains an internal breach-response runbook, owned by the Information Officer. Where a security incident affects Customer Confidential Information or personal information, we commit to notifying the Customer's nominated Security Contact within 72 hours of confirmation, in line with the Master SLA clause 8.

Where personal information of identifiable individuals has been compromised, we will notify the Information Regulator and affected data subjects as soon as reasonably possible (target 72 hours), in line with POPIA section 22. Notification content follows the five elements required by POPIA s22(5): description, possible consequences, containment measures, recommended actions, and the identity of the unauthorised person where known.

6. Subprocessors and Vendor Security

Subprocessors that handle Customer personal information are listed on our Subprocessors page, together with their purpose, region, and the compliance basis we rely on for any cross-border transfer. Each subprocessor is bound by a Data Processing Agreement or equivalent terms to process personal information only on our instructions and in accordance with POPIA.

7. Customer Responsibilities

Security is shared. Customers are responsible for:

  • the security of their account credentials, including not sharing login credentials outside the scope of permitted use in the Terms of Service;
  • notifying GetPrice at support@getprice.ai within 24 hours of becoming aware of any suspected compromise of their account or credentials;
  • nominating and keeping current a Security Contact on the Order Form for paying customers, so that breach notifications under Master SLA clause 8 reach the right person.

8. Reporting a Security Issue

If you have found, or believe you have found, a security issue affecting GetPrice or any GetPrice Customer, please report it to security@getprice.ai. We will acknowledge receipt within two business days.

Please do not publicly disclose the issue before we have had a reasonable opportunity to investigate and respond. We will not take legal action against good faith security researchers who follow this disclosure process.

9. Roadmap

We are transparent about where we are going. The following improvements are on our roadmap and will be introduced as the business grows:

  • Automated uptime monitoring and a public status page.
  • Multi-factor authentication for administrative access.
  • Disaster-recovery commitments with tested RTO and RPO.
  • Professional indemnity and cyber-liability insurance appropriate to our customer base.

Until each of these is in place, the current Master Service Level Agreement reflects the honest position and the Customer accepts it on signing.