At a Glance
| Topic | Position |
|---|---|
| Headquarters | Hong Kong SAR |
| Years operating | Since 2017 |
| Markets served | 12 |
| Data sale / sharing for advertising | None |
| Third-party advertising or social trackers on the Site | None |
| Cookies set on the marketing Site | 4 (all first-party) |
| AI vendor training on Customer data | Contractually prohibited |
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.2+ |
| Multi-factor authentication on admin accounts | Required |
| Public DPA template | /dpa |
| Public sub-processor list | /subprocessors |
| Vulnerability disclosure | security@headgatetech.com + /.well-known/security.txt |
| Status page | status.headgatetech.com |
| Personal data breach SLA to clients | Within 24 hours of confirmation |
| Personal data breach SLA to regulators | Within 72 hours where required |
| Certifications | SOC 2 Type I in progress (target); selected vendors hold SOC 2 Type II / ISO 27001 |
| Accessibility | WCAG 2.2 AA — partially conforms (statement) |
Information Security
A layered set of controls — encryption, access, monitoring, vendor due diligence, and incident response — designed to protect Personal Data and Confidential Information end-to-end.
2.1 Encryption
- In transit: TLS 1.2 or higher with strong cipher suites; HSTS enabled on
headgatetech.com - At rest: AES-256 or equivalent for all systems holding Personal Data
- Key management: Reputable cloud KMS with role-based access; keys rotated on a defined schedule; HSM-backed where supported
2.2 Access Control
- Need-to-know: Access to client environments is named, time-bounded, and logged
- MFA: Required on all administrative accounts and on accounts with access to Personal Data
- Least privilege: Role-based access controls (RBAC); periodic access reviews
- Joiner / mover / leaver: Documented process; access revoked at engagement end and at offboarding within one (1) business day
- Single sign-on (SSO): Used wherever supported by the underlying tool
2.3 Endpoint Security
- Centrally managed devices (mobile device management)
- Full-disk encryption on every endpoint
- Remote wipe enabled
- Approved-software baseline; unauthorized installs blocked or alerted
2.4 Network and Application Security
- Hardened cloud infrastructure (vendors selected for SOC 2 Type II or ISO 27001)
- Segmented networks by environment and by client where applicable
- Web application firewall on the marketing Site
- DDoS mitigation via CDN provider
2.5 Logging and Monitoring
- Tamper-evident audit logs of access to Personal Data
- Monthly log reviews by the security team
- Engagement close-out audits before access is revoked
- Anomalous-activity alerts on critical systems
2.6 Vulnerability Management
- Periodic vulnerability scanning of HEADGATE infrastructure
- Patching SLAs: Critical within 7 days, High within 30 days, Medium within 60 days
- Annual review of security controls
- External penetration test cadence:
2.7 Backup and Disaster Recovery
- Encrypted backups with defined retention and rotation
- Documented business-continuity and disaster-recovery procedures
- Recovery-time objective (RTO) and recovery-point objective (RPO) available to clients on request under NDA
Privacy
Privacy is engineered in, not bolted on. We collect what we need, name our vendors, give you control over your data, and we're explicit about how international transfers work.
- Privacy Policy:
/privacy— including PDPO, GDPR, UK GDPR, CCPA/CPRA, FADP, and AI processing sections - Cookie Policy:
/cookies— 4 first-party cookies, no third-party trackers - Data Processing Agreement:
/dpa— public template incorporating EU SCCs, UK Addendum, Swiss Addendum - Sub-processor list:
/subprocessors— current vendor list with country, transfer mechanism, DPA reference - International transfers: EU SCCs (Decision 2021/914) Module 2 / Module 3, UK IDTA, Swiss Addendum; Transfer Impact Assessments completed for Hong Kong as a destination jurisdiction
- Data subject rights: Submit at
privacy@headgatetech.com; 30-day response (45 days for CCPA/CPRA) with reasonable extensions - Global Privacy Control: Honored
- Data sale / cross-context behavioral advertising: None
AI Governance
We use AI tools, but never let them train on your data. We tell you which tools are involved. We follow Hong Kong's PCPD AI framework and the EU AI Act's transparency rules.
- AI vendors used for content production, audience modeling, and on-site assistants are listed in the sub-processor page
- All AI vendors we use are contractually committed not to train, retrain, or fine-tune their models on Customer Personal Data; if a vendor cannot make that commitment, we obtain Customer's written consent before use
- We apply human review to AI-generated outputs before delivery
- We disclose AI involvement in deliverables where required by Article 50 of the EU AI Act, applicable PDPO requirements, your reasonable instructions, or industry best practice
- We maintain internal records of AI tools used, data flows, and safeguards, in alignment with the PCPD 2024 Model Personal Data Protection Framework for AI Use
Personnel Security
Our team is bound to confidentiality, trained on privacy and security, and screened where the law allows.
- Background checks where permitted by law
- Confidentiality and data-protection clauses in every employment and contractor agreement
- Engagement-specific NDAs at the workspace and document level
- Mandatory privacy and security training on onboarding and annually thereafter
- Tabletop exercises on incident response
Vendor Management
We vet our vendors and we don't onboard one without a security and privacy review.
- Vendor due-diligence screen before onboarding (security questionnaire, certifications, DPA review, transfer-mechanism review)
- Preference for vendors with SOC 2 Type II, ISO/IEC 27001, or equivalent certifications, plus regional data-residency options
- Quarterly review of the sub-processor list
- 30-day public notice for material sub-processor changes
- Right of clients to object on data-protection grounds
Incident Response
A written plan, named owners, fast notification, and a post-incident report within 14 days.
| Stage | Action |
|---|---|
| Detection | Alert via monitoring, vendor notification, or human report |
| Triage | Incident coordinator assesses severity within 2 hours |
| Containment | Compromised credentials rotated, affected systems isolated |
| Notification | Affected clients within 24 hours of confirmation; regulators within 72 hours where required by GDPR / UK GDPR / CCPA / state breach laws |
| Eradication | Root-cause analysis; remediation deployed |
| Recovery | Systems restored from clean state; access reissued |
| Post-incident report | Delivered within 14 days; includes root cause, corrective actions, and lessons learned |
Vulnerability Disclosure
If you find a security issue, please tell us. We commit to triaging within 5 business days and not pursuing legal action against good-faith researchers.
We welcome responsible disclosure of security issues from researchers and the public.
- Contact:
security@headgatetech.com - Encryption: PGP key available at
/.well-known/security.txt - Scope: All
*.headgatetech.comdomains and the production marketing Site - Out of scope: Third-party services (please report to those vendors directly), social-engineering attempts, denial-of-service testing, physical security
- Acknowledgment: Within 5 business days
- Triage: Within 10 business days
- Resolution: Tracked through our standard patch SLAs (Critical 7 days, High 30 days, Medium 60 days)
- Safe harbor: We will not pursue legal action against researchers who act in good faith, do not access Personal Data beyond what's necessary to demonstrate the issue, and disclose responsibly
Service Availability
We don't run a SaaS product, but our marketing Site and client-facing collaboration tools have stability targets and a public status page.
- Public status page:
status.headgatetech.com - Site availability target: 99.9% monthly (marketing Site)
- Client-facing tools: Underlying SLAs governed by the relevant vendors (e.g., Google Workspace, Slack); see sub-processor list
- Maintenance windows: Announced in advance via the status page
Compliance Posture
Where we stand on the certifications and frameworks our larger clients ask about.
| Framework | Status |
|---|---|
| Hong Kong PDPO (Cap. 486) | Compliant; six Data Protection Principles addressed |
| GDPR / UK GDPR | Article 28 alignment via published DPA; SCCs / IDTA in place; Article 27 representative |
| Swiss FADP | Swiss Addendum to SCCs in place |
| CCPA / CPRA | Compliant for California residents; "Do Not Sell or Share" link in footer; service-provider/contractor certification in DPA |
| ISO/IEC 27001 | Not certified; controls aligned with the standard's domains |
| SOC 2 Type I | In progress (target) |
| SOC 2 Type II | Roadmap — following Type I |
| PCPD 2024 Model AI Framework | Aligned |
| EU AI Act | Article 50 transparency obligations honored |
| WCAG 2.2 AA | Partially conforms (statement) |
Documents and Resources
One spot to find everything else.
- Privacy Policy
- Cookie Policy
- Terms of Service
- Data Processing Agreement template
- Sub-processor list
- Accessibility Statement
- Security disclosure (security.txt)
- Status page
For documents requiring a non-disclosure agreement (security questionnaires, internal policies, audit reports) please contact security@headgatetech.com.
Contact
| Topic | |
|---|---|
| General | hello@headgatetech.com |
| Privacy / data subject rights | privacy@headgatetech.com |
| Security disclosures | security@headgatetech.com |
| Accessibility | accessibility@headgatetech.com |
| Legal notices | legal@headgatetech.com |
| Postal | HEADGATE TECHNOLOGY LTD, Suite C, Level 7, 50 Stanley Street, Central, Hong Kong |