This information security policy outlines the approach to information security management at Grip and provides the guiding principles and responsibilities necessary to safeguard Grip users’ information.
The following terms as interpreted in this policy:
Information – any electronic data stored, produced or transmitted. Data may be user generated or machine generated.
Access – the process or method by which information is obtained or consumed.
Software – Software created and used in Grip for operating the services provided. This includes all machine-learned and generated operation information.
Communications – any message exchanged in any electronic form between Grip users.
The policy covers both internal information produced and consumed by Grip staff, its software as well as information provided by Grip’s clients and users. Client and user information may be provided via any public or private API offered by Grip or via any mobile or web application operated by Grip.
The policy does not cover:
- Software code
- Ephemeral logs
- Grip internal, Grip & Client communications
- Grip classifies information according to appropriate levels of confidentiality, integrity and availability and in accordance with relevant legislative, regulatory and contractual requirements.
- Information is be protected against unauthorized access and processing in accordance with its classification level. Breaches of this policy are treated as incidents and managed accordingly.
- Information is made available solely to those who have a legitimate need for access. We make use of a fine-grained role-based control system to manage access to information. We maintain an audit log of access and control related changes.
- Notifications of information security breaches are made within 72 hours to the Head of Information Security, clients affected and relevant supervisory authority such as the ICO and data controller in cases which risks the rights and freedoms of natural persons.
Grip closely follows industry recommendations in encryption technology. All outbound information originating from Grip services is encrypted in transit over HTTPS via TLS. Where offered, Grip also receives information from 3rd parties through encrypted means.
We encrypt security information such as passwords at rest and Grip staff do not have the ability to decrypt and view them at any time.
Data Security Compliance
Grip complies with EU General Data Protection Regulations and UK Data Protection Act
Grip’s services are hosted on infrastructure providers that are certified for the following:
- CSA – Cloud Security Alliance Controls
- ISO 9001 – Global Quality Standard
- ISO 27001 – Security Management Controls
- ISO 27017 – Cloud Specific Controls
- ISO 27018 – Personal Data Protection
- PCI – PCI DSS Level 1 – Payment Card Standards
- SOC 1 – Audit Controls Report
- SOC 2 – Security, Availability, & Confidentiality Report
- SOC 3 – General Controls Report
- Cyber Essentials Plus – UK Government Standards
- G-Cloud – UK Government Standards