Security Overview

Our Approach

GateKeeper uses a multi-layered approach to bot detection that goes far beyond traditional CAPTCHAs. Our system analyzes behavioral patterns, environmental signals, and timing characteristics to distinguish real users from automated threats -- including the latest generation of AI agents.

Every verification request passes through cryptographic proof-of-work challenges that make automated attacks computationally expensive, while remaining seamless for legitimate users. Our adaptive difficulty system continuously adjusts challenge complexity based on real-time threat assessment.

Behavioral signals are collected from your browser and scored on our servers to distinguish humans from automated threats. These signals are retained in pseudonymized form -- with IP addresses cryptographically hashed -- for up to 12 months to detect and continually improve defenses against bots, under a legitimate-interest basis (security and fraud prevention) recognized by the Saudi Personal Data Protection Law (PDPL). No tracking cookies or cross-site profiles are created.

Data Protection

We apply industry-standard encryption for all data at rest and in transit. Passwords are protected using modern, secure hashing algorithms. Our systems undergo regular security assessments to identify and address potential vulnerabilities.

Data Residency

All GateKeeper infrastructure is hosted in Riyadh, Saudi Arabia. Your data never leaves the Kingdom. This ensures full compliance with Saudi data residency requirements and the Personal Data Protection Law (PDPL).

• All data processing and storage occurs within Saudi Arabia
• Virtual Cloud Network with private subnets and least-privilege access
• Web Application Firewall for DDoS protection
• No public network access to data stores

Compliance

Data Retention

We retain data only as long as necessary for its intended purpose. Audit logs are retained for 365 days. Behavioral verification signals are collected and scored server-side, then retained in pseudonymized form (with IP addresses cryptographically hashed) for up to 12 months to detect bots and improve our detection models, after which they are automatically deleted. Full details on our data retention periods and lawful basis are available in our Privacy Policy.

Incident Response

We maintain a structured incident response process to detect, contain, and resolve security incidents swiftly.

1. Detection: Continuous automated monitoring and alerting for anomalous activity.
2. Containment: Rapid isolation of affected systems to prevent further impact.
3. Investigation: Root cause analysis to determine scope and origin of the incident.
4. Remediation: Fix vulnerabilities and restore normal service operations.
5. Notification: Affected users are informed within 72 hours, in compliance with PDPL requirements.
6. Post-Incident Review: Lessons learned are documented and procedures are updated.

Vulnerability Reporting

If you discover a security vulnerability, we encourage responsible disclosure. Please report it to our security team so we can address it promptly.

Contact

For security-related inquiries: