GritFlow
Back to LegalLegal

Security Overview

Last updated: June 4, 2026

This Security Overview explains, at a high level, how GritFlow AI, LLC (“GritFlow,” “we,” “us,” or “our”) protects the data and systems behind the Services. It is written for the security, IT, and procurement teams who evaluate GritFlow. Detailed security documentation is available on request under NDA — see Section 7.

1. Our Approach

This page is a summary, not a contract. The binding security commitments live in the agreement you sign with us and in the Technical and Organizational Measures of our Data Processing Addendum. Capitalized terms used but not defined here have the meanings given in the Terms and the DPA.

We design the Services to be secure by default rather than secured after the fact. A large part of GritFlow's security posture comes from the managed model itself. GritFlow operates the application, the platform, and the underlying framework on your behalf — you never receive, host, or hold the framework or its source code. That single design decision removes a whole category of risk: there is no framework binary or source for an attacker (or a departing employee, or a compromised laptop) to exfiltrate from your side, and your sensitive business data and our intellectual property stay inside an environment we operate and monitor. Less surface to attack, less to leak, less to manage.

2. Dedicated, Isolated Environments

This is the headline of how we protect you. Each Customer is provisioned a dedicated, self-contained environment, isolated from every other customer. Your data, your AI Output, and your automated decisions live inside that environment and are not commingled with, or exposed to, any other customer.

Because the environment is dedicated rather than shared, we can do something most multi-tenant platforms cannot: customize the environment's security controls to your enterprise requirements. If your organization has specific control standards — particular encryption, access, logging, network, or data-handling requirements — we can configure your environment to meet them, and the specific controls for your environment can be agreed in an Order or a separate security exhibit.

3. Encryption

Customer data is encrypted in transit and at rest using industry-standard protocols. Connections to the Services are protected with current TLS, and stored data is encrypted at rest by the infrastructure on which the Services run.

4. How We Protect the Services

At a high level, GritFlow's security program covers:

  • Access control — access to systems that handle Customer data is restricted on a least-privilege, need-to-know basis, with authentication and role-based authorization.
  • Logging and monitoring — centralized, structured logging of access to and activity within the Services, retained to support investigation and response.
  • Secure development — a secure software-development lifecycle with change management and dependency review.
  • Resilience — backups and recovery processes designed to restore the Services after a disruption.
  • Personnel — the people behind the Services are bound by confidentiality obligations.
  • Subprocessor governance — see Section 5.

We provide the detailed descriptions, configurations, and evidence for these controls on request under NDA (Section 7), rather than publishing them — because a published control map helps an attacker more than it helps a customer.

5. Subprocessors

GritFlow relies on a small set of vetted subprocessors — covering hosting and compute, managed database and authentication, object storage, AI model processing, and business communications — to operate and support the Services. Each is bound by written terms no less protective than ours, is prohibited from using Customer data for its own independent purposes, and is prohibited from using Customer data to train its models. The current itemized list is available to customers on request, and customers are notified of changes and may object as described in our DPA.

6. Incident Response

We maintain a documented incident-response process to detect, contain, investigate, and recover from security incidents. If a security incident affects your data, we will notify affected customers in accordance with the Data Processing Addendum, which sets out the timing, content, and cooperation we provide. (Unsuccessful, routine security events — such as port scans, failed logins, and broadcast attacks that do not result in unauthorized access — are not incidents requiring notification, as described in the DPA.)

7. Security Documentation (on request, under NDA)

We deliberately do not publish our detailed security architecture, control configurations, network design, or subprocessor specifics. Publishing that level of detail would help an attacker more than it helps a customer.

On request and under an appropriate non-disclosure agreement, GritFlow makes available — to customers and qualified prospects — its detailed technical and organizational controls, an architecture summary, its current subprocessor list, and its responses to standard security questionnaires, to support your due-diligence and vendor-review process. Contact security@gritflowai.io or privacy@gritflowai.io.

8. Shared Responsibility

Security is a shared responsibility. The simplest way to think about it: we secure the platform; you secure your access to it and the data you put in.

GritFlow is responsible for:

  • the operated application and the GritFlow platform and framework we run on your behalf;
  • the dedicated, isolated environment provisioned for you and its separation from other customers;
  • the hosting and infrastructure the Services run on (through our Infrastructure Providers); and
  • the technical and organizational measures described in the DPA.

You are responsible for:

  • safeguarding your account credentials and your users' access;
  • the data you submit to the Services and your lawful basis and notices for it;
  • who you grant access to within your environment and the roles and permissions you assign them; and
  • how you configure and use the Services, and to whom you make any Deployed Application or AI Output available.

9. Contact

To report a security concern, request our security documentation under NDA, or ask a question about anything on this page, contact us at security@gritflowai.io or privacy@gritflowai.io.

GritFlow AI, LLC — Attn: GritFlow AI, LLC (Security) · 41 Peabody St, Nashville, TN 37210, United States

Email: security@gritflowai.io · Web: gritflowai.io

Security Overview | GritFlow