Security & Trust

At Griot, security is not an afterthought — it is woven into our platform architecture, development practices, and operational processes. We are committed to maintaining the highest standards of data protection for our customers and their data.

1. Infrastructure & Hosting

The Griot platform is hosted on Google Cloud Platform (GCP), leveraging enterprise-grade infrastructure with built-in redundancy and high availability.

• Hosted on GCP with SOC 2 Type II certified data centers
• Infrastructure managed as code for consistency and auditability
• Managed database and compute services with automatic patching
• Network segmentation and firewall rules to minimize attack surface
• Automated scaling to ensure availability during traffic spikes

2. Encryption

All data is encrypted both in transit and at rest to protect against unauthorized access.

• In transit: All communications are encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections to the Griot platform.
• At rest: All stored data is encrypted using AES-256 encryption, the industry standard for data at rest protection.
• Key management: Encryption keys are managed through Google Cloud KMS with automatic key rotation.

3. Tenant Isolation

Griot is a multi-tenant platform with strict logical isolation between customers.

• Each customer's data is logically isolated with separate data namespaces
• No cross-tenant data access is possible — all queries are scoped to the authenticated tenant
• Tenant identifiers are enforced at the application and database layers
• Regular testing to verify isolation boundaries

4. Access Controls

We implement strict access controls at every level of the platform.

5. Application Security

Security is integrated throughout our software development lifecycle.

• Secure coding practices aligned with the OWASP Top 10
• Code review required for all changes before deployment
• Automated dependency scanning to detect and remediate known vulnerabilities
• Input validation and output encoding to prevent injection and cross-site scripting attacks
• Regular security assessments and testing

6. Compliance

Griot is committed to meeting the compliance requirements of our customers across jurisdictions.

• SOC 2 Type II: Our infrastructure provider (GCP) maintains SOC 2 Type II certification
• GDPR: Our platform and processes are aligned with the requirements of the General Data Protection Regulation. A Data Processing Agreement is available at /dpa
• Kenya Data Protection Act: We comply with the Kenya Data Protection Act 2019 as our primary jurisdiction
• Data residency: We can discuss data residency requirements for enterprise customers

7. Incident Response

We maintain a documented incident response plan to ensure rapid detection, containment, and resolution of security events.

• 24/7 automated monitoring and alerting for security anomalies
• Defined escalation procedures with clear roles and responsibilities
• Customer notification within 72 hours of a confirmed data breach, as outlined in our Data Processing Agreement
• Post-incident review and remediation to prevent recurrence

8. Business Continuity

We ensure the availability and resilience of the Griot platform through robust business continuity practices.

• Automated daily backups with point-in-time recovery capabilities
• Disaster recovery procedures tested regularly
• Uptime monitoring with real-time status tracking
• Geographically distributed infrastructure for resilience

9. Vendor Security

We carefully evaluate and monitor all third-party vendors and sub-processors.

• Security assessment of all vendors before engagement
• Contractual security and data protection requirements for all sub-processors
• Ongoing monitoring of vendor security posture and compliance status
• A current list of sub-processors is maintained in our Data Processing Agreement

10. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to us so we can address it promptly.