At Gruntify, the protection of our customers' data is of utmost importance. We take a range of measures to ensure that our customers' data is safeguarded at all times.
Access to Customer Data
To protect against unauthorized access to customer data, we have implemented multiple security measures. Access to customer data is limited to only those employees
who require it to perform their standard duties. We use access control and authentication tools to secure customer data. Customer data is only used for the purposes that are necessary to provide the contracted services, such as technical support requests. We do not store or cache customer financial data related to billing through the Gruntify platform, and our employees do not have direct access to this data.
Physical Access to Customer Data
Customer data is hosted on infrastructure provided by Microsoft Azure, which maintains physical security of their sites using industry best practice controls. Our physical office locations do not store any customer data and physical access to Gruntify facilities are restricted by using appropriate access control and identification mechanisms. A review of physical access rights is performed periodically to check current access appropriateness and remove access that is no longer required.
Deletion and Disposal of Data
At Gruntify, we have strict procedures for deleting and disposing of customer data. Disposal of customer data will be carried out in accordance with the contractual agreement between Gruntify and the customer. In the absence of any contractual agreement, an automatic script or manual script (for ad-hoc requests) can be initiated on any Gruntify platform containing customer data. This activates a full hard delete of customer data on the platform. Any hardware owned by Gruntify that contains confidential data, including Gruntify backups, undergoes industry standard logical data destruction before recycling.
Internal Organizational Security
At Gruntify, we understand that security is paramount in everything we do. That's why we align our approach to security with best practices and recognized standards such as GDPR, CCPA, COPPA, ISO27001, PCI-DSS, and SOX frameworks. Our commitment to security starts with our governance policies, which are documented, shared with all staff, and reviewed regularly to ensure we stay current. We believe accountability for security should be embedded throughout the organization.
Gruntify’s Architecture Diagram Click to Expand
All Gruntify personnel undergo regular security awareness training to ensure they are equipped to handle specific security-oriented challenges and ensures that our personnel comply with all regulatory aspects of their role. As part of compliance, Gruntify completes Data Protection Impact Assessment (DPIA) as per regulatory requirements in Article 35 in the GDPR to identify and minimize the data protection risks of all Gruntify projects and processes. Access to Gruntify’s network, systems and communications are logged and monitored to assist with identifying potential misuse of systems or information. Logging activities include regular monitoring of system access to prevent attempts at unauthorized access and confirm access control systems are effective. Log servers and documents are kept secure and only made available to authorized personnel. These logs are retained as long as required for appropriate regulation.
We prioritize patching of our IT environment to stay secure against potential security breaches. Our devices are secured with endpoint security technologies to detect and prevent security threats. Access to our internal systems and cloud platforms is restricted to employees who require it for their role. Access permissions are regularly reviewed on an employee-by-employee basis, and all access for departing employees is promptly revoked.
At Gruntify, we understand that our customers' primary experience with us is through our products. That's why security is a critical aspect of the way we develop and operate our products.
Secure Software Development Practices ensure the security of our products, every code and infrastructure change undergoes a thorough review before release into production. This review includes observance of security best practices. We also maintain strict segregation between our development, test, and production environments. We actively test all changes to Gruntify products during development to evaluate the impact on end-users prior to deployment. Any significant changes are included in the production release notes.
We employ change tracking and version control systems to monitor and manage changes to the code base and configuration of our infrastructure. Automated processes are used to deploy changes to our environments, and we can revert changes as needed. We also use Azure DevOps to track any underlying configuration changes to the cloud platform on which our products operate.
At Gruntify, we take the security of our customers' data seriously and have implemented these measures to ensure the highest level of security for our products.
Security Incident Handling
At Gruntify, we understand that security incidents can happen despite our best efforts to prevent them. That's why we have comprehensive measures in place to minimize the potential impact on our customers and our organization.
Our documented Incident Management Procedure outlines our process for ensuring the confidentiality, integrity, and availability of our IT environment and products. In the event of an incident, Gruntify critically identifies, contains, investigates, and remediates any security incidents that threaten the security or confidentiality of information assets.
We use multiple geographical availability zones through Microsoft Azure and replicate data across multiple systems in each zone to ensure continued access to data during incidents affecting system availability. This also provides data redundancy in case of system or data storage failures.
We take the security of our customers' data seriously and have implemented these measures to provide peace-of-mind and confidence that we are prepared to handle any security incidents that may arise.