Where it lives, who can touch it, how we protect it, and what happens if something goes wrong. Plain-language summary of our security posture.
Your client data is the most sensitive thing we touch. We treat it accordingly — with hardened infrastructure, narrow access, encryption in transit and at rest, and a documented incident response process.
This page summarizes our security posture in plain language. For detailed security documentation, SOC 2 status, or to request our Trust Center, email audit@grainmethod.com.
Client data is stored in segregated environments per client. We use industry-standard cloud infrastructure (US-based regions) with encrypted storage and dedicated environments for each client account.
We do not commingle data across clients. Each client's Mission Control dashboard operates on isolated subdomain and database scoping.
[PLACEHOLDER: Specific cloud provider, region, encryption standards.]
Access to production data is limited to the GRAIN operations team, requires multi-factor authentication, and is logged.
[PLACEHOLDER: Specific access policy and audit retention periods.]
All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Encryption keys are managed through a dedicated key management service with rotation on a regular schedule.
[PLACEHOLDER: KMS provider details and rotation schedule.]
We back up all client data on a daily schedule with point-in-time recovery available for the past 30 days. Backups are encrypted, stored in a separate region from primary storage, and tested quarterly.
[PLACEHOLDER: RPO / RTO targets, DR testing cadence.]
We use a small number of vetted subprocessors to deliver the service. Each has a signed data processing agreement and is reviewed periodically. A current list is available on request.
[PLACEHOLDER: Public subprocessor list — link to live page.]
If we discover a security incident affecting your data, we will notify you within 72 hours of confirming the incident with what we know, what we don't know, and what we're doing about it.
Our incident response procedure is rehearsed regularly and includes coordination with law enforcement where required.
[PLACEHOLDER: Notification timeline by jurisdiction, severity classification.]
If you've discovered a potential security issue with our service, please email audit@grainmethod.com with details. We respond to all good-faith reports within 24 hours.
We do not currently run a public bug bounty program, but we welcome responsible disclosure and will acknowledge contributors.
Honest answers, plain language, no run-around. We'd rather over-explain than leave room for confusion.