GSIG operates as a forensic intelligence firm. The integrity, confidentiality, and availability of client engagement data are core operational responsibilities. This page documents the security posture for the public website and describes how to disclose vulnerabilities responsibly.
GSIG operates a strict separation between three environments: the public website (this domain), the client portal (vetted access only), and the production intelligence platform (not internet-accessible).
The intelligence platform — including the wallet attribution graph, sanctions reconciliation system, money-flow forensic infrastructure, and engagement deliverables — operates on owned infrastructure. It is not hosted on commercial cloud, is not accessible from the public internet, and is reachable only through controlled, authenticated paths from a small set of operational endpoints.
Client engagement deliverables are produced on this internal infrastructure and transferred to clients through controlled channels agreed in the engagement letter.
The GSIG public website applies a strict set of security headers on every response. These are intentionally tighter than typical commercial site defaults, reflecting GSIG's posture as a firm whose public surface is part of its credibility:
| Header | Value |
|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
| Content-Security-Policy | self-only by default; no inline scripts; HTTPS-only; HSTS-upgraded |
| X-Frame-Options | DENY |
| X-Content-Type-Options | nosniff |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | camera=(), microphone=(), geolocation=(), interest-cohort=() |
| Cross-Origin-Opener-Policy | same-origin |
| Cross-Origin-Resource-Policy | same-origin |
| X-Permitted-Cross-Domain-Policies | none |
The website does not load third-party scripts, analytics trackers, advertising tags, or behavioural-tracking pixels. Web fonts are loaded from Google Fonts under a CSP-allowlist; no other third-party origins are permitted to execute on the page.
All traffic to the public website is served over TLS 1.2 or higher, with modern cipher suites only. The site is operated behind a hardened reverse-proxy edge with rate limiting, DDoS mitigation, and bot-traffic filtering applied. HTTP traffic is permanently redirected to HTTPS.
The internal intelligence platform is not internet-accessible. It communicates with controlled operational endpoints over private network paths, with all traffic authenticated, encrypted, and logged.
Client portal access is provisioned only after engagement letter execution and verification of authorised personnel. Access is scoped to the engagement, logged in full, and reviewed periodically. Authentication is multi-factor for all human users and credential-rotated for system accounts. There is no self-serve account creation.
Internal access to engagement data is restricted to authorised GSIG personnel on a need-to-know basis, with all access logged.
Engagement data is encrypted at rest and in transit. Client deliverables are produced in formats agreed in the engagement letter, transferred through controlled channels (encrypted email, secure document portals, or in-person handover where the engagement requires), and retained per the schedule in our Privacy policy.
Engagement findings remain confidential. We do not aggregate, share, or reuse findings produced for one client in service of another, beyond methodological learning that does not identify the client.
If you have identified a security vulnerability in the GSIG website, infrastructure, or any GSIG-operated system, please report it to security@gsig.uk.
GSIG will acknowledge receipt within two business days and will coordinate a disclosure timeline with the reporter. We do not currently operate a paid bug bounty programme, but we credit reporters who identify material vulnerabilities, with their permission.
We ask that you:
We will not pursue legal action against researchers who comply with the above and act in good faith.
The following are not considered material security findings and do not need to be reported:
For security matters, contact security@gsig.uk. For general inquiries, enquiries@gsig.uk.