GAL Legal
Security Policy
This page describes GAL's vulnerability reporting process, current security controls, and security program commitments.
Last updated: March 2026
Report a Vulnerability
- Email security@scheduler-systems.com with the issue summary, impact, reproduction steps, and any suggested remediation.
- GAL targets acknowledgement within 24 hours and triage within 72 hours.
- A formal bounty program is not guaranteed unless explicitly offered in writing.
Application Security Controls
- TLS in transit and encrypted storage in Google Cloud and Firebase.
- Role-based access controls and organization-level data isolation.
- Security headers, auth rate limiting, protected release controls, and secret scanning in CI.
- JWT session tokens use explicit algorithm pinning, token identifiers, revocation on logout and refresh, and a quarterly signing-key rotation target.
Program Status
SOC 2 Type II
Readiness work in progress
GDPR operational review
In progress
Private bug bounty
Direct responsible disclosure only
External penetration test
Tracked as launch-readiness work
Safe Harbor
- Act in good faith, avoid privacy violations and service disruption, and do not access more data than required to demonstrate the issue.
- Give Scheduler Systems a reasonable remediation window before public disclosure.
Questions about legal terms, privacy, or vulnerability disclosure can be sent to security@scheduler-systems.com or privacy@scheduler-systems.com.