Security at GRCfy

Our Security Commitment

GRCfy is built for organisations that manage sensitive compliance programmes — audits, findings, evidence, and regulatory submissions. The data your teams upload and generate is confidential, regulated, and in many cases subject to the DPDP Act 2023, GDPR, or other data protection laws.

We treat that responsibility seriously. Security decisions at GRCfy are not delegated to a single team — they are baked into architecture, code review, deployment processes, and how we hire and train our engineers.

Infrastructure & Hosting

• The platform is hosted on enterprise-grade cloud infrastructure with industry-standard physical security, redundant power, and network resilience.
• Primary data is stored in India. Organisations that require data residency in specific regions may configure company-hosted or client-hosted databases on their own infrastructure.
• Network-level firewalls restrict inbound traffic to necessary ports only. Production databases are not directly accessible from the internet.
• Compliance logs are stored in a dedicated, isolated compliance database (separate from application data) to ensure log integrity even in the event of an application-layer compromise.
• The application tier, database tier, and compliance logging tier run as separate processes with independent access controls.

Encryption

In transit

• All communication between your browser and the platform is encrypted using TLS 1.2 or higher. HTTP is automatically redirected to HTTPS.
• HSTS (HTTP Strict Transport Security) headers prevent protocol downgrade attacks.
• All database connections between the application and storage layer use encrypted channels.

At rest

• User passwords are hashed with bcrypt (minimum cost factor 10). Plaintext passwords are never stored, logged, or transmitted — not even to GRCfy staff.
• Sensitive configuration values — database credentials, SSO client secrets, SFTP passwords, SMTP credentials — are encrypted at rest using AES-256-CBC via Laravel's encryption layer. Plaintext values are never persisted to the database.
• Evidence files stored on the platform's managed storage are covered by the underlying storage provider's at-rest encryption.

Authentication & Access Control

Role-based access control

GRCfy implements a granular 11-role permission system. Every action — viewing audit data, uploading evidence, updating control statuses, managing findings — is gated by explicit role checks at the controller layer, not just the UI.

Password security

• Platform administrators can enforce password complexity rules (minimum length, uppercase, numbers, special characters) and mandatory expiry periods for all users in their organisation.
• Expired passwords trigger a forced change flow before the user can access any other part of the platform.
• The platform records password_changed_at on every password update to enforce expiry accurately.

Single Sign-On (SSO)

• SAML 2.0, OIDC, and LDAP/Active Directory integrations are supported. Organisations can enforce SSO so that all authentication flows through their own Identity Provider.
• OIDC client secrets and LDAP bind passwords are encrypted at rest using AES-256-CBC before being stored. Plaintext values are not retained after initial configuration.
• Just-in-time (JIT) provisioning creates accounts automatically on first SSO login, applying pre-configured role mappings from IdP group attributes.
• IdP tokens are not persisted beyond the authenticated session.

Session security

• Session tokens are regenerated on every login and invalidated on logout.
• CSRF protection is enforced on all state-changing requests via a per-session XSRF token.
• Session cookies use HttpOnly and Secure flags to prevent client-side script access and enforce HTTPS.

Data Isolation

Compliance data belonging to different organisations must never be visible across tenants. GRCfy enforces isolation at multiple layers:

• Database-per-client architecture: Each client entity's audit data lives in a dedicated database, not a shared table with a tenant_id column. Cross-tenant queries are architecturally impossible at the SQL layer.
• TenantContext resolution: Every request that accesses audit data resolves the correct tenant database connection from the authenticated user's context before any query is issued. Requests with an unresolvable context are rejected (404/403).
• Self-hosted database option: Organisations that require physical isolation can configure GRCfy to store their audit data on their own database server (company-hosted or client-hosted mode). The application connects to their server for tenant data only — platform infrastructure never holds a copy.
• Platform admin exclusion: Scope queries in every controller explicitly exclude platform administrator roles from accessing tenant audit data — this boundary exists in PHP query logic, not just middleware.

Immutable Audit Trail

Every significant action on the platform — login, data access, record creation/update/deletion, role change, permission grant, evidence review, force-delete — is written to an append-only compliance log simultaneously in two places:

Each log entry captures:

• Timestamp (UTC), event type, actor user ID, tenant ID, client ID
• IP address and browser user-agent
• Unique request ID for request tracing
• Relevant DPDP Act 2023 section reference (50+ event types mapped)

Permanent deletion ("force delete") operations are logged separately in a recovery_logs table with a mandatory, non-empty reason field, the actor's identity, and a cascaded record of all dependent data that was removed. This log is also immutable and available for export as CSV.

Evidence & File Security

• Evidence files are served via authenticated, time-limited URLs — never exposed as publicly accessible static files.
• Per-file upload size limits are enforced at the server layer (configurable per subscription plan, default 50 MB) to prevent abuse.
• Storage quotas are enforced per subscription. Uploads beyond quota are rejected before any data is written to disk.
• Evidence storage is configurable: local managed storage, Amazon S3, or customer-provided SFTP. All drivers are abstracted behind the same upload/retrieve/delete interface with consistent access controls regardless of driver.
• XLSX file preview uses a server-side ZipArchive parser — no third-party JavaScript spreadsheet libraries with known CVEs (SheetJS was explicitly removed due to a high-severity vulnerability).
• Cross-audit evidence flagging automatically notifies affected teams when evidence used across multiple audits is marked expired or incorrect, preventing stale evidence from quietly remaining in use.

Application Security

GRCfy is built on Laravel 12 (PHP 8.2) with Inertia.js / React 19. Our standard defences against OWASP Top 10:

Vulnerability Management

• Composer (PHP) and npm (JS) dependencies are monitored for known CVEs. Critical and high-severity vulnerabilities are patched within 72 hours of disclosure.
• All code changes undergo peer review before being merged to the main branch. Security-sensitive changes (auth, role checks, data access) require explicit review sign-off.
• Periodic internal security reviews are conducted against the OWASP Top 10 and DPDP Act technical safeguard requirements.
• External penetration testing is planned on an annual basis. Results and remediation timelines are tracked internally.

Incident Response

We maintain an incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting your data:

• 72-hour notification: We will notify affected customers without undue delay and within 72 hours of becoming aware of a personal data breach, as required by the DPDP Act and GDPR.
• Scope & impact: Initial notification will include the nature of the incident, categories of data affected, approximate number of records, and immediate containment steps taken.
• Ongoing updates: We will provide updates as the investigation progresses and will assist customers in fulfilling their own regulatory notification obligations.
• Post-incident report: Following resolution, a summary report will be provided to affected customers covering root cause, timeline, and remediation actions.

To report a suspected security incident or data breach: security@grcfy.com

Business Continuity & Backups

• Automated daily backups of the platform database. Backups are stored in an isolated location separate from the primary database.
• Backup restoration procedures are tested periodically. Restoration time objectives are reviewed after each test.
• Universal soft-delete on all core models (users, audits, entities, audit types) means accidental deletions can be recovered from the Recovery Vault before the retention window expires — without needing a full database restore.
• Organisations using self-hosted (company-hosted or client-hosted) databases are responsible for their own backup and recovery procedures for tenant data stored on their infrastructure.

Employee & Vendor Security

• All GRCfy employees and contractors with access to production systems are subject to background verification, confidentiality agreements, and annual security training.
• Production infrastructure access follows the principle of least privilege. Access is provisioned on a role and need basis and reviewed quarterly.
• All production access requires multi-factor authentication (MFA). VPN or bastion host access is required for direct database connections.
• Sub-processors (cloud hosting, email delivery, monitoring) are bound by data processing agreements and are evaluated for security posture before engagement.
• Employee offboarding includes immediate revocation of all access credentials, SSH keys, and service accounts.