Secure by Design Pledge
Executive Overview
Golden Tech Solutions LLC is committed to embedding security into every stage of the GoldenIris development lifecycle. We prioritize Secure by Design principles to ensure that content teams, agencies, and brands using GoldenIris are protected against emerging threats. This pledge outlines how we align with key CISA Secure by Design goals.
Purpose
This pledge demonstrates Golden Tech Solutions LLC’s dedication to implementing security best practices throughout GoldenIris. It establishes the rights of users to expect a secure platform, outlines our responsibilities, and documents our measurable commitments.
Scope
This pledge applies to the GoldenIris SaaS platform and all associated services. It encompasses all employees, contractors, and third-party partners involved in the development, deployment, and maintenance of GoldenIris.
Our Six Commitments
Principle 1 We Take Responsibility for Your Security
Multi-Factor Authentication
Goal: Make MFA the default and mandatory for all GoldenIris users.
Our Commitment: MFA is mandatory for all GoldenIris accounts. We enable MFA by default at account creation. We support standards-based Single Sign-On (SSO) integration with identity providers including Azure AD and Google Workspace, giving enterprise users phishing-resistant authentication with minimal friction.
How We Measure: We regularly review MFA adoption rates across all user types. We track where phishing-resistant MFA is in use and surface adoption gaps proactively through our admin tooling.
Principle 2 We Commit to Transparency and Accountability
Vulnerability Disclosure Policy
Goal: Maintain a published, actionable vulnerability disclosure policy.
Our Commitment: We maintain a transparent vulnerability disclosure policy that welcomes good-faith reports from security researchers. If you discover a vulnerability in GoldenIris, please email security@goldeniris.ai. We commit to acknowledging all reports within 5 business days and providing a resolution timeline within 30 days for critical findings.
How We Measure: We track time-to-acknowledge and time-to-remediate for all disclosed vulnerabilities. Lessons learned are incorporated into our development standards.
Principle 3 Leadership Owns Security
Security Initiatives Led from the Top
Goal: Ensure leadership is directly accountable for the security posture of GoldenIris.
Our Commitment: Our CEO takes direct responsibility for overseeing the security posture of GoldenIris. This includes leading strategic security initiatives, driving adoption of Secure by Design practices, and aligning with CISA guidance and industry best practices. Security is integrated at every level — from product architecture to customer support.
How We Measure: Security milestones, vulnerability reduction metrics, and patch deployment rates are reviewed at the leadership level on a quarterly basis.
Principle 4 We Protect Your Credentials
No Default Passwords
Goal: Eliminate all default passwords from GoldenIris.
Our Commitment: GoldenIris has never shipped with default passwords. Every account requires strong, unique credentials at creation. Password strength is enforced at registration. API keys and secrets are generated cryptographically and displayed only once. We follow CISA guidance on eliminating exploitable authentication defaults.
How We Measure: We audit authentication flows with each release to confirm no default credentials exist at any entry point.
Principle 5 We Reduce Vulnerabilities Systematically
Secure Coding Practices
Goal: Measurably reduce the prevalence of specific classes of vulnerabilities.
Our Commitment: GoldenIris is built on Laravel, a framework with strong built-in protections against OWASP Top 10 vulnerabilities. We consistently apply:
- Parameterized queries via Eloquent ORM — prevents SQL injection
- Blade templating auto-escaping — prevents XSS
- CSRF token validation on all state-changing requests
- Input validation via Form Requests on every API endpoint
- Rate limiting on all API routes and authentication endpoints
- Tenant isolation enforced at the query level (brand_id scoping)
- All secrets stored in environment variables, never in code
How We Measure: We maintain an internal vulnerability tracking list and review root causes and trends in our CVE analysis process. Secure coding standards are enforced in code review before every merge.
Principle 6 We Own Patch Management
Security Updates Delivered Automatically
Goal: Ensure GoldenIris customers are never exposed to known vulnerabilities due to delayed patching.
Our Commitment: As a fully managed SaaS platform, GoldenIris handles all patching. Our customers never need to apply security updates, manage dependencies, or monitor CVE feeds for the platform. Critical security patches are deployed as soon as they are validated — typically within 24–48 hours of a confirmed vulnerability. We monitor upstream dependencies (PHP, Laravel, npm packages) continuously for known vulnerabilities.
How We Measure: We track mean time to patch (MTTP) for critical CVEs. Our target is under 48 hours for critical severity vulnerabilities.
Enforcement
- All employees, contractors, and third-party partners must adhere to the principles outlined in this pledge.
- Non-compliance may result in disciplinary action, up to and including termination of employment or contract.
- Regular internal audits are conducted to verify compliance with this pledge.
Roles and Responsibilities
| Role | Responsibility |
|---|---|
| CEO | Direct oversight of security initiatives. Alignment with CISA and industry best practices. Quarterly security review. |
| Development Team | Implement secure coding practices. Enforce parameterized queries, input validation, CSRF protection. No default passwords shipped. |
| Security Lead | Monitor MFA adoption. Oversee patch management. Triage vulnerability disclosures. Maintain VDP. |
| Customer Support | Assist customers with MFA setup, SSO configuration, and security feature questions. |
| All Employees | Adhere to Secure by Design principles. Report security concerns immediately to security@goldeniris.ai. |
Related Standards
- CISA Secure by Design Principles
- NIST Cybersecurity Framework
- OWASP Secure Coding Practices
- ISO/IEC 27001 Information Security Management
Definitions
| Term | Definition |
|---|---|
| MFA | Multi-Factor Authentication — requires more than one credential type to verify identity. |
| VDP | Vulnerability Disclosure Policy — structured process for security researchers to report vulnerabilities. |
| CISA | Cybersecurity and Infrastructure Security Agency — U.S. federal agency responsible for national cybersecurity infrastructure. |
| CVE | Common Vulnerabilities and Exposures — publicly disclosed security flaws with standardized identifiers. |
| OWASP Top 10 | Industry-standard list of the ten most critical web application security risks. |
| MTTP | Mean Time to Patch — average time from vulnerability discovery to deployed fix. |
Related Documents
© 2026 Golden Tech Solutions LLC · GoldenIris · New Hampshire, USA · security@goldeniris.ai