At Gridly, the security of your information is our top priority. We rely on industry best practices and strictly enforced operational controls to ensure the security of all electronic data you entrust us with.
Data protection
The solution is hosted on Amazon AWS in Frankfurt/Germany using proxy layers in Hong Kong and the United States which have various security certificates including:
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
- SOC 2
- SOC 3
- FISMA, DIACAP, and FedRAMP
- DOD CSM Levels 1-5
- PCI DSS Level 1
- ISO 9001 / ISO 27001
- ITAR
- FIPS 140-2
- MTCS Level 3
In addition to the benefits provided by AWS, Gridly has additional built-in security features:
- Two-Factor Authentication
- Single Sign-On via SAML 2.0
- REST API Authentication (API Key)
- Role-based permissions
- IP allowlist (Enterprise-only)
The solution only uses secure HTTPS connections to communicate with other systems. There are access controls in place to only grant access to systems that are allowed.
Unusual and malicious traffic is automatically detected by several internal tools like Nginx access logs and Sentry tracking. Notifications are sent to the responsible Gridly employee.
The main database is backed up to a second physical location using a read replica that is always ready for failover. Additionally, the data is backed up daily to Amazon S3 with a changelog for a retention period of 30 days. Restoring is possible within 30 days.
Gridly APIs use HTTP with the TLSv1.2 protocol for communication.
Gridly performs recovery tests that include point-in-time database recovery and the recovering of static assets through the Amazon S3 version control feature.
Access control
Amazon AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
Access to the solution’s internal network is only possible using Wireguard VPN and also comes with a public/private key-pair via Secure Shell (SSH).
Access to Gridly is monitored and reviewed by automated tools to identify abnormalities and to inform the responsible Stakeholders. The monitoring includes mitigation of brute force attacks.
Every content change is logged and can be reviewed in the Grid history.
Change management
Gridly applies a systematic approach to managing change so that changes to customer-impacting services are thoroughly reviewed, tested, approved, and well-communicated. The Gridly change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are:
- Reviewed – Peer reviews of the technical aspects of a change are required.
- Tested – Changes being applied are tested to help ensure they will behave as expected and not adversely impact security.
- Approved – All changes must be authorized in order to provide appropriate oversight and understanding of business impact.
Auto logout for idling users
Users who stay inactive for a set period of time will be automatically logged out of Gridly, preventing unauthorized access and ensuring data integrity. Learn how to set it up here.