See Gimlet at ALA 2026 - Booth #1524 Learn More

Security & Trust

Gimlet security overview

Gimlet is a hosted library statistics and service-tracking application operated by Sidecar Publications LLC. This page summarizes Gimlet's current approach to security, hosting, privacy, backup and recovery, and incident response for prospective and current clients.

Security summary highlights

  • TLS-protected in transit
  • Hosted on DigitalOcean
  • Backups stored in AWS S3
  • Weekly patching
  • Optional Microsoft Entra ID SSO
  • Privacy Guard available

Intended data profile

Gimlet is intended for low-risk institutional and operational data. It is appropriate for use where access is restricted to authorized staff and employees, but it is not designed for restricted or highly restricted data.

We recommend that clients do not store personally identifiable information, regulated data, or other sensitive confidential material in Gimlet's free-text fields.

Privacy Guard

To reduce risk, Gimlet offers a feature called Privacy Guard. Privacy Guard can periodically remove full-text data from the application while preserving the statistical counts and reporting value that clients need.

Learn more: gimlet.us/support/privacy-guard

Hosting and infrastructure

  • Application hosting: Gimlet is hosted on DigitalOcean infrastructure.
  • Primary hosting location: NYC3 datacenter, New York City, United States.
  • Backups: Database backups are stored in Amazon S3 in the us-east-1 region.
  • Application stack: Gimlet is a multitenant Ruby on Rails application.
  • Tenant separation: Gimlet uses logical tenant separation within its multitenant application architecture.

Encryption and data protection

Data in transit

All data transmitted to and from Gimlet is protected with TLS over HTTPS. The application is configured to enforce secure transport headers, including HSTS.

Data at rest

Customer data is stored in secured production infrastructure. Where enabled by the hosting provider, data at rest is protected using provider-managed encryption for storage volumes and backup snapshots, typically using AES-256.

Data in use

Gimlet protects data in use through application authentication, authorization, least-privilege administrative access, and secured production infrastructure. Gimlet does not currently claim confidential-computing or hardware-based memory-encryption features such as SEV-ES.

Access control and authentication

Access to Gimlet is restricted to authorized users within each subscribing organization. Gimlet supports account-based access control and separate privileged accounts.

Microsoft Entra ID Single Sign-On is available at Gimlet's Max tier.

Gimlet is intended for staff-facing use. Clients are responsible for configuring internal account provisioning and managing who should have access within their organization.

Monitoring, patching, and operational security

  • A minimal set of services is installed on production servers.
  • Systems are patched on a weekly basis.
  • HTTPS access is restricted through a load-balancing firewall.
  • UFW is installed and running.
  • System configuration is managed through Ansible.
  • Application uptime, exception tracking, and related operational signals are monitored using third-party services.

Current operational support vendors include AppSignal, UptimeRobot, and Fathom Analytics.

Backups, recovery, and continuity

Gimlet maintains hourly and nightly database snapshots in cloud infrastructure. Backup and disaster recovery workflows are designed to support restoration of service onto a new virtual machine through automation.

Clients may export their data from Gimlet at any time.

Incident response

Sidecar Publications LLC maintains an incident response process for Gimlet. If an incident is detected that may affect client information or interconnected systems, affected clientele will be notified promptly upon onset of the incident.

As appropriate to the event, Sidecar Publications LLC will share diagnosis, remediation status, and root-cause or post-mortem information after investigation and resolution.

Security testing and assurance

Gimlet uses dependency and vulnerability monitoring as part of its security practice, including GitHub Dependabot alerts and routine maintenance. Weekly vulnerability scanning has also been part of prior customer questionnaire responses.

Gimlet is operated by a small company and should not be presented as having the same enterprise security program, staffing model, or certification portfolio as a large cloud vendor. We aim to be clear and accurate about the controls we do have in place.

Insurance and company profile

Sidecar Publications LLC is a small company operated by two co-founders. Gimlet has served libraries for many years and maintains cyber insurance and errors & omissions coverage.

Gimlet is designed for practical, staff-facing operational use in libraries and related institutions, with an emphasis on clarity, low overhead, and responsible handling of lower-risk data.

This page is intended to provide a practical summary for prospective and current clients conducting vendor review. Clients with additional questions may contact Sidecar Publications LLC for follow-up.

Gimlet · Made in Minnesota and Wisconsin, USA