Investing in Your Privacy

  • Our Legal team partners with our developers and engineers to make sure our products and features comply with applicable international spam and privacy laws.
  • We retain a law firm in the Austria to consult on EU privacy issues.
  • We undergo annual verification with a U.S. based third party-outside compliance reviewer under the Privacy Shield verification program. 
  • Our corporate attorneys and Legal Compliance Manager are active members of the International Association of Privacy Professionals (IAPP) and collectively hold the certifications of CIPP/USCIPP/G, and CIPP/E.

Protecting Ourselves Against You

Yes, you heard that correctly. We can secure ourselves like Fort Knox, but if your computer gets compromised and someone gets into your Gustaffo account, that’s not good for either of us.

    • We monitor and will automatically suspend accounts for signs of irregular or suspicious login activity.
    • Certain changes to your account, such as to your password, will trigger email notifications to the account owner.
    • We monitor accounts and campaign activity for signs of abuse.
    • In addition to our scalable algorithms, we employ another layer of human reviewers, who monitor for anomalous account and email activity.
    • We make 2-Factor Authentication available to our customers and offer a discount on accounts that engage this feature.
    • We provide the ability to establish tiered-levels of access within accounts.


    Responsible disclosure program

    Gustaffo digital service GmbH is committed to ensuring the security of our services and customer information. As part of this commitment, we encourage security researchers to contact us to report any potential weaknesses identified in any product, system, or asset belonging to Gustaffo digital service GmbH. This program isn’t intended to represent a public bug bounty program and we make no offers of reward or compensation for submitting potential issues. We appreciate your commitment to improving Gustaffo services.


    Responsible disclosure guidelines

    Security Researchers will disclose potential weaknesses in compliance with the following guidelines:


      • Share the security issue with us before making it public (e.g., on message boards, mailing lists, or other forums).
      • Wait until we provide you notification that the vulnerability has been resolved before you disclose it to third parties. We’re focused on the security of our customers and our systems, and some vulnerabilities take longer than others to address.
      • Provide a clear, concise description of the steps needed to reproduce any vulnerability you submit.
      • Provide the complete details related to the security issue, including proof-of-concept (POC) URL, as well as the details of the system(s) where tests have been conducted.


        • Don’t cause harm to Gustaffo, its customers, shareholders, partners or employees.
        • Don’t engage in any act that may cause an outage or stop any of Gustaffo’s services.
        • Don’t engage in illegal activities or any acts that violate any international laws or regulations, or federal or state laws or regulations.
        • Don’t store, share, compromise or destroy any Gustaffo data or customer data while conducting research activities. If personally identifiable information (PII) is encountered, you are required to stop and immediately notify Gustaffo.
        • Don’t conduct fraudulent activity or complete fraudulent financial transactions as part of your research.


        Out-of-scope vulnerabilities

        The following types of vulnerabilities are out of scope for this program:

          • Phishing
          • Social engineering
          • Physical security assessments
          • Any form of denial of service (DoS) attack

          Submission Guidelines

          All potential weaknesses submitted must include enough information to reproduce and validate the issue. Documentation should include a detailed summary of the issue, targets, steps performed, screenshots, tools utilized, and any information that will help Intuit during triage.

          By following these guidelines and responsibly disclosing any security weaknesses directly to Gustaffo, we agree not to pursue legal action against you. Gustaffo reserves its legal rights in the event of noncompliance with program guidelines.

          Gustaffo will review and promptly acknowledge any submitted issue within three business days of submission via email at [email protected]