Grantable Trust Center

Grantable is in compliance with security best practices, has implemented and is monitoring comprehensive controls, and maintains policies to outline its security procedures.

security@grantable.co

Compliance

Resources

SOC 2 Type II Report

Personnel Security Policy

Change Management Policy

Network Security Policy

Company Handbook

Controls

Password rules enforced

Production access keys restricted and key management services

Access control procedures

Least-privilege access strictly enforced for produciton infrastructure

Sensitive Data Classification & Access Control

Encryption of data

Secure disposal of electronic media containing sensitive data (PII, ePHI, etc.)

Data Retention and Secure Deletion Policies

Documented security & privacy risk management process

6 year retention of HIPAA documentation

Source code tool

Sample code changes

Outsourced Development Management

Documented secure development and emergency change procedures

Business continuity and disaster recovery testing

Intrusion detection tool

Infrastructure firewall

Infrastructure baseline hardening policy

Network diagram

Incident response procedures documented

Security incident list

Business continuity plans ensure emergency functionality

Alerts and remediation

Whistleblower policy

Log management tool

Vendor management program

Annual risk assessments performed

New employee and contractor agreements

Customer onboarding

Background checks

Background checks performed on contractors

Employee annual performance reports

Multi-availability zones

Automatic Session Timeout Enforcement

Customer termination

Information security policies and procedures

Authorized Communication of Material System Changes

Asset register list

Subprocessors

SupabaseData Stores & Warehouses

PostHogBusiness Apps & Productivity

FAQs

Emergency changes that can't follow regular processes due to urgency require immediate attention and discussion with a relevant service manager. Such changes are formally approved retrospectively after implementation. These emergency changes are later reviewed in periodic meetings to analyze lessons learned, root causes, and impacts.

Our organization actively manages vendor risks through a structured approach that includes maintaining a critical third-party vendor inventory and conducting risk assessments before initiating third-party work. These assessments are repeated annually to identify any gaps between third-party security controls and our information security standards.

The organization adheres to the principle of least privilege by granting users access to systems based on role-based schemes, job function, business requirements, or need-to-know basis. Systems are provisioned via a deny-all methodology, meaning users only gain access upon receiving formal independent approval.