Security Policy
Overview GrantAppli manages data of more numerous customers. We understand that our customers expect us to protect their data with the highest standards and are committed to providing them with a highly secure and reliable environment. Our security model and controls are based on international standards and industry best practices, such as ISO 27001, ISO 27018 and OWASP Top 10.How do we secure your data?
Our systems are hosted using MongoDB’s multi-region architecture. We offer hosting through MongoDB data clusters in the US, EU, and AUS. This allows us to provide a reliable service and ensures your data is available whenever you need it. We have also established a disaster recovery mechanism in a separate MongoDB region.
MongoDB’s clusters employ leading physical and environmental security measures, resulting in highly resilient infrastructure.
For more information about its security practices, see below: MongoDB Security Documentation..
Application Security
GrantAppli implements a security oriented design in multiple layers, one of which is the application layer. The GrantAppli application is developed according to the OWASP Top 10 framework and all code is peer reviewed prior to deployment to production.
Our controlled CI/CD process includes static code analysis, vulnerability assessment, end-to-end testing, unit testing which addresses authorization aspects and more. GrantAppli developers go through periodic security training to keep them up-to-date with secure development best practices.
Infrastructure Security
Another layer of security is the infrastructure. As stated, GrantAppli utilizes MongoDB’s distributed architecture. Furthermore, our infrastructure is protected using multiple layers of defense mechanisms, including:
- Firewalls for enforcing IP whitelisting and access through permitted ports only to network resources.
- A web application firewall (WAF) for content-based dynamic attack blocking.
- DDoS mitigation and rate limiting.
- Network Intrusion Detection System (NIDS) sensors for early attack detection.
- Advanced routing configuration.
- Comprehensive logging of network traffic, both internal and edge.
- Data encryption.
Bug Bounty Program
GrantAppli does not currently maintain a managed private bug bounty program; however, we appreciate if any security researchers wish to ethically disclose security vulnerabilities to our Security Team.
Physical Security
GrantAppli is a cloud-based solution, with no part of our infrastructure retained on-premise.
GrantAppli’s data centers are hosted on Google Cloud Platform infrastructure, where leading physical security measures are employed.
Disaster Recovery and Backups
GrantAppli is committed to providing continuous and uninterrupted service to all its customers. We consistently backup user data every 5 minutes. All backups are encrypted and distributed to various locations.
Our Disaster Recovery Plan is tested at least twice a year to assess its effectiveness and to keep the teams aligned with their responsibilities in case of a service interruption.
Security Awareness and Training
GrantAppli understands that its security is dependent on its employees. Therefore, all our employees undergo thorough information security awareness training during onboarding. Further security training is provided on a quarterly basis. Additionally, all employees must sign our Acceptable Use Policy.
Access Control
We know the data you upload to GrantAppli is private and confidential. We regularly conduct user access reviews to ensure appropriate permissions are in place, in accordance with the least privilege principle. Employees have their access rights promptly modified upon change in employment.