Gridapps Security Policy

Last updated December 10, 2025

At Gridapps, the security and privacy of our customers’ data is central to everything we build. Our platform helps businesses collect, manage, and publish testimonials in the form of videos, text, and customer stories. Because teams rely on our service to handle valuable content, we maintain a strong security program designed to protect the confidentiality, integrity, and availability of all systems within our control. This policy explains the standards we follow, the technology we rely on, and the practices that guide our approach to securing customer data.

Overview and Purpose

The purpose of this Security Policy is to describe how Gridapps protects its infrastructure, applications, and customer content. Our security practices are built around industry-recognized frameworks such as ISO 27001 and SOC 2, even if we are not yet formally certified. These standards shape the way we design our systems, manage risks, and enforce internal processes around data protection, access control, and operational security.

Everything we do, collecting testimonials, storing videos, delivering AI-generated content, managing customer dashboards, is supported by documented security procedures. We believe transparency builds trust, especially for our B2B SaaS customers who depend on us to safeguard data submitted by their clients and end-users. This Security Policy outlines the controls we have in place and the commitments we make as a service provider.

Scope

This policy applies to every part of the Gridapps ecosystem:
our SaaS application, backend APIs, cloud infrastructure, internal systems, employee devices, customer data stored within our services, and any tool or third-party vendor we use to deliver functionality. Whether content is processed through our testimonial platform, our video creation tools, or any future products under Gridapps, it falls under the scope of this policy.

Our cloud infrastructure, servers, storage, databases, networking components, is included. Our public and internal applications, admin tools, dashboards, email systems, and employee laptops are included. Likewise, any third-party service that processes customer content on our behalf must meet our security requirements and operate under appropriate agreements.

In short, if a system interacts with Gridapps customer data, it is covered under this Security Policy.

Data Security

Protecting customer data is one of our most important responsibilities. All video testimonials, written reviews, images, metadata, and account details are stored and transmitted securely. When data travels between your browser, our servers, or third-party integrations, it is encrypted using modern security protocols such as TLS 1.2 or higher. This ensures that no one can intercept or tamper with your information while it is in transit.

Data at rest, meaning the data stored inside our databases, file storage, and backups—is encrypted using strong algorithms like AES-256. We make use of secure key-management systems provided by our cloud partners, ensuring keys are rotated, protected, and never exposed publicly.

Access to customer data is controlled through role-based permissions, ensuring that users and employees only have the access required for their specific responsibilities. All administrative actions, data exports, and sensitive operations are logged and monitored. We regularly review access privileges to maintain the principle of least privilege.

For customers who must comply with data residency rules, we store European user data in EU data centers and follow GDPR requirements for processing personal data. This includes enabling users to access, modify, or delete their information and providing transparency around how it is used.

Application Security

Security is built into the way we develop and maintain Gridapps products. Our development lifecycle includes security reviews, peer code reviews, and automated scanning of both code and dependencies. We use tools that monitor for known vulnerabilities in open-source libraries and flag potential risks before they reach production.

New features undergo architectural review to ensure they meet security guidelines. We regularly test our applications for common vulnerabilities, such as those described in the OWASP Top 10, and fix any issues quickly as part of our release process.

Independent penetration tests are performed periodically to evaluate the strength of our defenses. Findings from these assessments help us improve the platform and make sure Gridapps remains resilient against real-world attack methods.

Our applications also generate logs for authentication attempts, data access, permission changes, and unusual activity. These logs are centralized, monitored, and analyzed so that suspicious events can be identified and investigated promptly.

Cloud and Infrastructure Security

Gridapps operates entirely on secure cloud infrastructure provided by leading cloud providers. These providers offer advanced protections at the physical, network, and platform layers, allowing us to build on top of hardened systems rather than managing servers ourselves.

We isolate critical components of our infrastructure to reduce exposure. Public-facing services run in separate network segments from internal systems and databases. Access to production systems is heavily restricted and monitored. Firewalls, private networks, and strict routing rules ensure that only the correct services communicate with each other.

All incoming traffic to public applications is filtered through firewalls and anti-abuse protections. Our infrastructure includes DDoS mitigation tools and web application firewalls to protect against injection attacks, cross-site scripting, and other web-based threats. Monitoring tools continuously analyze logs and metrics to identify unusual behavior early.

Server configurations, operating systems, and cloud services are kept up to date with security patches. Automated processes help us apply updates quickly and ensure secure defaults are maintained across the environment.

Access Management and Identity Controls

We enforce strong identity and access management practices across the Gridapps organization. All employees and contractors use unique accounts, and multi-factor authentication (MFA) is required for privileged systems. Password best practices are enforced, and we encourage the use of password managers.

Access to customer data or production systems is tightly controlled. Only authorized personnel with a business need may access these systems, and such access is logged and reviewed. When employees change roles or leave the company, their access is removed immediately through defined deprovisioning processes.

We also support secure authentication for customers, and we encourage account owners to enable stronger security measures where available.

Incident Response and Breach Notification

While we work hard to prevent security incidents, we also maintain a structured incident response plan to ensure we can act quickly and effectively if something does occur. Our plan outlines how incidents are detected, classified, communicated, and resolved. Security alerts and unusual activity are reviewed by our team so we can respond before issues escalate.

If a breach were ever to impact customer data, Gridapps would notify affected customers promptly and transparently. For users in the European Union, we follow GDPR requirements for reporting personal-data breaches, including the 72-hour notification window when applicable. After any incident, we perform a full analysis to understand what happened and strengthen our defenses.

User Responsibilities

Security is a shared responsibility between Gridapps and our customers. While we secure the platform and infrastructure, users must ensure they handle content ethically and lawfully. Customers are responsible for obtaining consent from individuals featured in testimonials and must avoid uploading prohibited or sensitive data such as financial records, medical information, passwords, or government identification documents.

Users must protect their login credentials, restrict access to authorized team members only, and notify us immediately if they believe their account may have been compromised. Misuse of the platform, such as attempting to break security controls or collecting deceptive content, violates our Terms and may result in account restrictions.

Third-Party Vendors and Subprocessors

Gridapps relies on carefully chosen third-party providers to deliver cloud hosting, content delivery, storage, analytics, and optional integrations. These providers must meet our security standards, and we evaluate them based on certifications, compliance posture, and their own internal controls.

All subprocessors operate under contracts that define how data may be used, secured, and retained. We do not sell customer data or share testimonial content with vendors unless it is required to operate the platform.

We review our vendors periodically to ensure they continue to meet our expectations.

Security Awareness and Training

Every Gridapps employee receives ongoing security training to help them understand threats, responsibilities, and the importance of protecting customer data. Developers receive additional training on secure coding practices, while operations and support teams are trained in incident reporting and privacy obligations.

Security is part of our culture, and team members are reminded regularly about phishing risks, password safety, and best practices for handling customer content.

Policy Updates and Maintenance

We review this Security Policy at least once per year or sooner if significant product, infrastructure, or regulatory changes occur. Updates are approved by leadership and published so customers always understand how their data is being protected.

Security is not static, technology evolves, threats evolve, and our platform evolves. We remain committed to improving our security posture continuously.