Security Statement

ISO 27001 - Automated by Drata

Introduction

At Gridly, we’d rather sacrifice everything than compromise with securities matters. We believe that security is not an against but a support force for us moving forward in building a safe and convenient platform for our customers.

Gridly is built with top security certificated cloud services provider, which provides security, reliability, availability, and performance at the highest level. We strictly follow the latest security rules and practices, both in product development and organization processes. We constantly update ourselves with the latest security trends, issues and lessons learned. We are transparent in security management and welcome all external security audits.

We are pleased to answer your security queries. We can also provide detailed document samples and processes upon request. Please contact us for further information.

Compliance & Policy

Gridly is hosted on Amazon AWS in Frankfurt/Germany using proxy layers globally (United States, Hong Kong, Sydney, Tokyo, Canada) which have various security certificates including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, DOD CSM Levels 1-5, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, MTCS Level 3

Beside benefits provided by AWS, Gridly has additional built-in security features:

  • Two-Factor Authentication
  • Single Sign-On via SAML 2.0
  • REST API Authentication (API Key)
  • Role-based permissions
  • IP allowlist (Enterprise-only)

Gridly is compliant with the EU General Data Protection Regulation (GDPR). We use PCI-DSS level 1 certification provider for our payment gateway.

We are working on our ISO 27001 certification registering for Information Security Management System (ISMS) and expect to have the certification done in early 2025.

Organization

We have processes and practices to ensure a security mindset and practice. We also have documents for guidelines, policies, and disciplinary actions. Some of the plans include

  • Information Security Policy
  • Security Awareness & Training Activity
  • Data Protection Officer (DPO)
  • Training periodically courses for Data Protection, Data Security in practice, technical training on various topics such as SSL, MFA, VPN, SSH keypairs, Apple Icloud, CVE, Firewall, Digital FingerPrint, AWS IAM, AWS Security groups and so on.

We have a process of background checks for candidates when hiring, onboarding, and offboarding plans.

We welcome and already got security verified by external firms, who are also the biggest customers of Gridly with clean results.

Risk Management

We have a Risk Management Plan ready in place, which covers the most critical assets to Gridly’s functioning, the assessment of Risk sources, Risk level and action plans.

This document is live and is continuously updated.

Access Control

We have an Access Plan applied for all of our staff, visitors, contractors, interns, etc, and track all access provided into Access Registers.

We manage access with Role Based Access Control (RBAC) applied for the organization and inside Gridly, with the least privileged rule applied.

All physical access and equipment are tracked and can be revoked.

Hardware that can store data is managed and turned on storage encryption by default.

Data Security

All Gridly’s customer data is located in the AWS cloud. We build multi-tenancy databases to isolate and enhance security. We use AWS Config and Terraform IAC for maintaining all inventories of infrastructure. No other additional system where the data is stored.

We have a Data Destruction Plan document and checklist for the disposal or destruction of data.

We have processes for terminating/canceling employment contracts, returning company devices, and equipment, and signing off a confidentiality agreement before leaving. We also do storage wipe/erase, and reset NVRAM when offboarding employees for secure sanitization of information media and assets.

We have 2 types of backup and restore data

  • Application features can be triggered at any time as needed by the customer.
  • Infrastructure layer twice a day

Printers are only accessed by the HR team and not engineers & developers. Papers will be destroyed with a paper destroyer machine.

The discussion whiteboard is required to be wiped before leaving the meeting room.

Protective Technology

We have 2 layers of encryption:

  • Database layer is encrypted with AES-256 algorithm by AWS KMS
  • Secure connection between app and database using TLS

We also do encryption on:

  • Storage layer on all AWS servers & services
  • Encryption on the backup layer.

All Gridly virtual servers & computing units on AWS are running on Linux distro and are protected by best practices firewall/secgroup configurations based on AWS expert Security Pillar - AWS Well-Architected Framework.

All Gridly servers, databases, and services are provisioned and deployed on internal AWS VPC networking. We implemented several security groups/firewalls for protecting data and keeping track using AWS VPC Flow logs and Cloudtrail.

We build centralized endpoints for making production connections with auto session logging and audit, we only share and grant permission for DevOps engineers and core backend engineers when needed in case of incident & hotfix purposes.

We have the Change Management process to review and decide on any process or infrastructure changes.

For network segregation, provision & deployment development environment in separate AWS accounts with production, we have a dedicated IAM account for the operation team.

We do on-demand scanning on every push event to our Docker AWS ECR image.

  • Our security roadmap regarding detecting also includes SonarQube/DataDog ASM for scanning on the codebase layer and runtime layer

Security Monitoring

We have 3 layers of security scanning:

  • Auto scanning on every push of Docker image on AWS ECR using enhanced scanning
  • We do security scanning using BurpSuite/Zap regularly for every 3 months
  • Automatic scanning & recommendation on infrastructure configurations via AWS Security Hub, Cloudtrail and AWS Config

We are proactive in monitoring the latest security threats. When receiving CVE issues, we acknowledge them immediately, announce them to customers and work on patches within 48hrs.

We enforce a strict policy for single-sign-on access, MFA, and a strong password policy for all endpoints including cloud endpoints & environments.

We apply Wireguard VPN for restriction & secure remote access to internal resources and customer data.

We have a Quick Action team to respond to all incidents raised by internal, customer, 3rd services. We also subscribe to online security bulletin boards and groups.

We monitor our environment carefully across multiple tools on performance, requests, and access. Some monitoring tools include

  • AWS Cloudtrail for logging, continuously monitoring, and retaining account activity related to actions across our AWS infrastructure.
  • Cloudtrail for tracking changes in resources and troubleshooting/analyzing security risks.
  • AWS Config for continuously monitoring, auditing, and evaluating configurations on AWS.
  • In-house self-built services: gateway, error tracking system & logging system for storing and notifying security issues. It’s a solution based on Nginx, Sentry, Grafana Loki & notification rules.

For external-facing networks, we monitor and detect malicious traffic automatically.

Notifications are sent to the responsible Gridly employees. Our API gateway service also has a prevention layer for terminating malicious requests before reaching microservices.

Incident Management

Although we have never had any security incidents, we always prepare for all situations. We document all internal procedures for handling production incidents.

We are always ready and proactive for incidents and notice/share details on our online status page.

We will notify all customers when having security issues

  • Directly via email
  • Detail & status update on https://status.gridly.com/
  • Timeframe on when and how long the patch will be applied.

SaaS Security

Access to the solution’s internal network is only possible using Wireguard VPN and also comes with a public/private key pair via Secure Shell (SSH).

All internal and external endpoints are using HTTPS and SSL, renew automatically.

We enforce MFA on all external endpoints and require VPN and permission for access.

For SSO customers, we provide a wide range of solutions for integration:

  • Roles at the company level and project level.
  • Data-access permission and functional permission. We support SSO login/registration with google.
  • We also support SAML SSO, as of now we support Okta and Azure, more details at SAML SSO
  • More details can be found under Company Roles, Project Roles, and Company Group and Company settings at https://help.gridly.com/company-setup

For Data Destruction, we have internal procedures to remove account & related data on both application layer and infrastructure layer applying Data Destruction guidelines.

Business Continuity

We continuously apply Chaos Model in development, which strengthens to ensure the system works properly in case some part of the infrastructure becomes unavailable.

For backups, we have 2 types of backup at the Application level and the Infrastructure level.

We can provide suitable plans for ensuring Business continuity compatibility upon request.