2274638 Ontario Inc. takes the security of the GRATEIC platform and your data seriously. This Security Policy describes the technical and organizational measures we implement to protect the confidentiality, integrity, and availability of the Service.
1. Infrastructure Security
1.1 Cloud Hosting
GRATEIC is hosted on Microsoft Azure, a leading enterprise cloud platform with SOC 2, ISO 27001, and FedRAMP certifications. Our infrastructure is deployed in Azure Canada Central and Canada East regions, ensuring Canadian data residency.
- Azure Virtual Machines with network security groups and private networking
- Azure Database for MySQL Flexible Server with SSL enforcement
- Azure Front Door for DDoS protection and global load balancing
- Azure Monitor and Azure Security Centre for continuous monitoring
- Azure Blob Storage with geo-redundant replication (GRS) for backups
1.2 Network Security
- All traffic encrypted in transit using TLS 1.2 or higher
- HTTPS enforced on all endpoints — HTTP redirected to HTTPS
- Network segmentation between portal deployments
- Firewall rules restrict access to management interfaces
- SSH access restricted to authorized IP ranges with key-based authentication
2. Application Security
2.1 Authentication
- Passwords stored using bcrypt hashing (never in plain text)
- Multi-factor authentication (MFA/2FA) available and encouraged for all users
- Session tokens expire after inactivity periods
- reCAPTCHA protection on all login forms to prevent automated attacks
- Account lockout after repeated failed login attempts
2.2 Authorization
- Role-based access control (RBAC) — users access only their authorized data
- Complete tenant isolation — no cross-tenant data access possible
- API authentication required for all programmatic access
- Principle of least privilege applied to all system accounts
2.3 Data Protection
- All data encrypted at rest using Azure-managed encryption keys
- Database connections require SSL/TLS — unencrypted connections rejected
- Sensitive configuration values stored in environment variables, not source code
- Regular automated database backups with geo-redundant storage
3. Operational Security
3.1 Monitoring and Logging
- Activity logging enabled across all platform deployments
- Log retention of 30 days minimum for security incident investigation
- Azure Monitor alerts for anomalous activity, high error rates, and infrastructure events
- Automated notification for unauthorized access attempts
3.2 Patch Management
- Operating system and software patches applied on a regular schedule
- Critical security patches applied within 72 hours of release
- Dependency vulnerability scanning as part of deployment process
3.3 Backup and Recovery
- Daily automated backups of all databases and application code
- Backups stored in Azure Blob Storage with geo-redundant replication
- Backup integrity tested monthly
- Recovery Time Objective (RTO): 4 hours | Recovery Point Objective (RPO): 24 hours
4. Organizational Security
- Access to production systems limited to authorized personnel only
- Separation of duties between development, operations, and administration
- Security awareness as part of onboarding and ongoing practices
- Vendor and third-party access reviewed and minimized
5. Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue in the GRATEIC platform, please report it to our security team before public disclosure.
Security Disclosure: security@grateic.com
Please include: description of the vulnerability, steps to reproduce, potential impact, and your contact information. We commit to acknowledging reports within 48 hours and providing updates throughout our investigation.
We ask that you:
- Give us reasonable time to investigate and remediate before public disclosure
- Avoid accessing, modifying, or deleting data belonging to other users
- Not conduct testing that could degrade service availability for others
6. Compliance and Certifications
- Platform aligned with ISO 27001 information security management principles
- GRATEIC GRC platform supports customer SOC 2, ISO 27001, and NIST CSF compliance programs
- Microsoft Azure infrastructure certified SOC 2 Type II, ISO 27001, PCI DSS, FedRAMP
- Data residency in Canada for Canadian customers (Azure Canada Central / Canada East)
- PIPEDA compliant for Canadian personal information handling
7. Incident Response
In the event of a confirmed security incident affecting customer data, we will:
- Contain the incident and preserve forensic evidence
- Notify affected customers within 72 hours of confirmation
- Provide a clear description of what happened and what data was affected
- Describe steps taken and planned to remediate the issue
- Notify applicable regulatory authorities as required by law (PIPEDA, GDPR, etc.)
8. Contact