Hosting & Security Disclosure — Gulf Coast Tech & AI Services (GCTAI)

Effective Date: December 2025

This Hosting & Security Disclosure outlines how Gulf Coast Tech & AI Services (“GCTAI,” “we,” “us,” or “our”) hosts systems, processes data, and applies security controls to protect client information. This document is provided for transparency and informational purposes and does not constitute a compliance certification.

1. Hosting Environment

GCTAI leverages reputable cloud and SaaS providers to deliver its services. Depending on the solution implemented, infrastructure may include:

n8n Cloud (EU/Germany) — Automation and workflow orchestration
GoHighLevel (USA) — CRM, forms, messaging, and client engagement workflows
Airtable (USA) — Optional client workspace and structured data tables
Notion (USA) — Internal documentation and optional client-facing knowledge management
Google Workspace (USA) — Email, document storage, and collaboration
Microsoft 365 (USA) — Email, document storage, and collaboration
OpenAI (USA/EU) — AI inference services only (no model training on client data)

Service providers are selected based on reliability, security posture, and industry adoption.

2. Data Security Controls

GCTAI applies reasonable administrative, technical, and organizational safeguards, including:

Multi-factor authentication (MFA) on privileged and administrative accounts
Encrypted storage of API keys and secrets using a secure credential manager (e.g., 1Password)
No plaintext storage of credentials or authentication tokens
Scoped, least-privilege API access
Workflow logging and access event monitoring for operational visibility

While no system can be guaranteed 100% secure, GCTAI takes appropriate measures to reduce risk and protect client data.

3. Data Minimization & Retention

GCTAI retains only the minimum data necessary to operate and support client automations and services.

Data is processed solely for agreed-upon service purposes
Clients may request deletion of workflow data, logs, or access credentials at any time, subject to contractual or legal obligations

4. Data Residency & Compliance Scope

Client data may be processed or stored in the United States or the European Union, depending on the service providers and integrations used.

GCTAI does not intentionally process regulated Protected Health Information (PHI)
GCTAI services are not designed to meet HIPAA, PCI-DSS, or similar regulated compliance frameworks unless explicitly agreed to in writing

5. Incident Response

In the event of a confirmed security incident affecting client data:

GCTAI will notify impacted clients without undue delay and generally within 72 hours of confirmation
Notifications will include available details regarding scope, impact, and mitigation steps taken