Security

Protecting your data is fundamental to everything we do at Grantmaker. This page outlines how we keep your data safe.

• Cyber Essentials - Certified under the UK government-backed scheme for protection against common cyber threats. Includes cyber insurance.
• UK Data Residency - All customer data is stored and processed in the United Kingdom. We are registered with the ICO (ZB997563) and comply with the UK GDPR and Data Protection Act 2018.
• Encryption - Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or later. HTTPS is enforced across the platform.
• Infrastructure - Hosted on AWS in London (eu-west-2) using managed, serverless services with automated patching. The application is protected by a Web Application Firewall (WAF).
• Multi-tenancy - Organisations' data is logically separated from one another. Users can only access data belonging to their organisation.
• AI Security - AI models are accessed via AWS Bedrock. Customer data is never used to train models. Full audit trails of AI-generated assessments are maintained.
• Secure Development - All code changes undergo peer review, automated testing, and linting with OWASP Top 10 in mind. All infrastructure access requires multi-factor authentication.
• Continuous Deployment - Updates are deployed continuously with automated testing. Customers are always on the latest version without downtime.
• Vulnerability Management - Automated CVE scanning on code dependencies and container images. Vulnerabilities are patched in line with their severity.
• Single Sign-On - SSO integration is available, allowing organisations to use their existing identity provider.
• Penetration Testing - Annual independent penetration testing by CREST-accredited security specialists.
• Backups - Daily backups to Microsoft Azure in the UK, providing geographic redundancy. Point-in-time recovery available via AWS.
• Quarterly Reviews - Security configurations, firewall rules, user accounts, and installed software are reviewed quarterly.
• Incident Response - Comprehensive breach notification process. Customers are notified within 24 hours of detection. Full details in our Terms of Service.

For more information, see our Privacy Policy and Terms of Service, or contact us at hello@grantmaker.co.uk.