GRATEIC Security Policy

Last Updated: February 17, 2026

Our Commitment to Security

GRATEIC is committed to protecting the security and privacy of our platform and our customers' data. As a provider of Governance, Risk & Compliance (GRC) software serving regulated industries, we maintain enterprise-grade security standards.

Security Measures

Infrastructure Security

Network Protection: Active firewall with intrusion detection system (IDS)
Threat Monitoring: 24/7 monitoring with automated threat response
DDoS Protection: Azure Front Door with rate limiting
Access Control: Multi-factor authentication and role-based access

Data Protection

Encryption in Transit: TLS 1.2/1.3 only with Perfect Forward Secrecy
Encryption at Rest: AES-256 encryption for all stored data
Database Security: Isolated databases with SSL-required connections
Backup & Recovery: Automated backups with disaster recovery procedures

Application Security

Security Headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options
Session Security: Secure cookies with HttpOnly and SameSite protections
Input Validation: Server-side validation and sanitization
Dependency Management: Regular security updates and vulnerability scanning

Email Security

SPF: Sender Policy Framework configured
DMARC: Domain-based Message Authentication with quarantine policy
Phishing Protection: Email authentication to prevent spoofing

Security Standards & Compliance

GRATEIC maintains security aligned with:

ISO 27001 (Information Security Management)
ISO 22301 (Business Continuity Management)
SOC 2 Type II principles
NIST Cybersecurity Framework
OWASP Top 10 protections

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities.

Reporting Security Issues

If you discover a security vulnerability, please report it to:

Email: security@grateic.com
Response Time: Within 24 hours
security.txt: https://grateic.com/.well-known/security.txt

What to Include

Description of the vulnerability
Steps to reproduce
Potential impact
Your contact information (optional)

Our Commitment

We will acknowledge receipt within 24 hours
We will provide updates on resolution progress
We will credit researchers (with permission)
We will not pursue legal action against good-faith researchers

Incident Response

In the event of a security incident:

We maintain a 24/7 incident response team
Affected customers will be notified within 72 hours
We will provide transparent communication and remediation timelines
Post-incident reviews are conducted to prevent recurrence

Third-Party Security

Regular security audits by independent firms
Penetration testing conducted annually
Vendor security assessments for all partners
Supply chain security requirements

Customer Responsibilities

We recommend our customers:

Use strong, unique passwords
Enable multi-factor authentication
Keep browsers and systems updated
Report suspicious activity immediately
Follow security best practices for their data

Security Updates

This security policy is reviewed and updated regularly. Material changes will be communicated to customers.

Contact Information

Security Team: security@grateic.com
General Support: support@grateic.com
Company: Resiliency Consulting Services
Location: Ontario, Canada
Website: https://grateic.com

Last Reviewed: February 17, 2026
Next Review: August 2026