Security at Gradmor
Gradmor is committed to the security of customer information. Gradmor has put in processes and controls in place for protecting customer information, and accomplishes this through our mission of creating and nurturing a culture of security. Please visit our trust center to know what controls and systems we have in place.
Auditing and Compliance
Gradmor is currently in the process of becoming SOC 2 certified and will be certified by 03/31/24. SOC 2 is a widely-recognized, international standard for data security in information technology. Certification requires annual inspections and will remain valid until 03/31/25.
On top of our certification, we also perform vulnerability scans quarterly and penetration tests annually, and frequent internal audits and security assessments. For critical services, we utilize vendors that have strong security track records, such as AWS for product hosting.
Data Center Security
Our product environment is in AWS. We mainly utilize the AWS as a Service (PaaS) offerings for our product. Utilizing PaaS and not traditional VMs significantly reduces our threat surface. We extensively leverage AWS’s advanced security features to secure our product infrastructure.
We have strict access controls in the production environment, based on the principles of Need to Know and Least Privilege. Only Gradmor’s Executive team who have the need to access the production environment for legitimate purposes such as deploying and troubleshooting the application have access. They receive the least privileges they need to accomplish their legitimate purpose.
System and Network Security
We maintain an accurate inventory of our systems and perform full lifecycle management, including performing timely patching and decommissioning systems that are near the end of their support period.
We have an effective Vulnerability Management program that includes frequent scanning and agent-based collection of security data from the network and the endpoints. This network and endpoint data is automatically correlated against threat information to identify and prioritize vulnerability based on risk. This is reviewed at least quarterly and new issues are remediated expeditiously, in a timeframe proportional to the severity of the issue.
We have strong encryption for the data at rest (while it is stored) and in transit (while it is being transmitted).
The access to the stored customer data is on a Need to Know basis solely by the Executive team.
We have strong security controls in the product, including Role-Based Access Control (RBAC) , Data Segregation, Data Anonymization, and Login Attack Protection.
Gradmor application’s have several different user roles, helping ensure that our customers have the ability to provide their users the right level of access.
Our data segregation features provide the ability to restrict access to the data within the application. This enables our customers to segregate data, for instance, by organizational unit or geographical location, so that only users that are responsible for those organizational units or geographical locations could be provided access to the data.
We have thoughtful privacy features in the product. For example, we have an optional “Anonymize Personal Data” feature in our product to hide personal information. We are committed to adding security and privacy features like these to allow our customers greater control of their data.
Secure Software Development
Gradmor performs secure software development that aligns with NIST Secure Software Development Framework (SSDF). As part of this approach, we have a full-lifecycle approach to security. This includes the security team working closely with product management and product design teams to design security into new features that are being considered; and working with customer support to identify new security feature requirements.
We test WebApps as well as APIs for security flaws. Our security tests include automated testing that is incorporated into the DevOps pipeline. Security quality gates are applied to the automated tests, so that the developers are alerted about failing tests and the issues are remediated before merging.
We have a dedicated security issues backlog that is allocated to security tasks. This shows clear organizational commitment to security. Having a preset allocation enables important security fixes or features to be implemented without having to compete with product feature requests.
Security Education and Awareness
We provide annual security awareness training that is mandatory for all team members.
Security Monitoring and Incident Response
The Gradmor product environment as well as the application are monitored using a AWS’s Security Information and Event Management applications.
Gradmor has formal and tested incident response processes.
We also provide monitoring of our service status to our customers. Our Service Status page is here.
Privacy of User Data
We take our data protection obligations and user privacy rights seriously. and have contracts with them that include clauses to protect our customer data and users. Our privacy policies are available here.
We utilize reputable vendors like AWS, Google Workspace and Zoho for our product.
Credit Card Security
Gradmor does not store any credit card information. Credit card payments are processed by Wave, the industry-leading PCI Data Security Standards (PCI-DSS) Level 1 certified service provider.
If you have any questions about Security at Gradmor, please contact us.