How we protect your data.

A mature security programme grounded in international standards and practical controls. This page summarises our posture and how to contact our security team.

01

Defense-in-depth

Layered controls across identity, network, application, and data.

02

Encryption

TLS 1.2+ in transit, industry-standard encryption at rest.

03

Change control

Peer review, CI/CD checks, and staged rollouts for production changes.

PROGRAMME

Governance, identity, data.

Governance & Standards

  • Aligned to ISO/IEC 27001:2022 control families and secure R+D practices
  • Risk management with regular reviews and management oversight
  • Policies for access, acceptable use, secure coding, change, and incident response

Identity & Access

  • Least-privilege, role-based access and JIT elevation where applicable
  • Phishing-resistant MFA (FIDO2/WebAuthn) enforced on administrative and production systems
  • Segregated environments and logging of privileged actions

Data Protection

  • Encryption in transit (TLS 1.2+) and at rest (AES-256, KMS-managed keys in eu-central-1)
  • Data minimisation and time-bound retention by default
  • Backups with integrity checks and tested restoration procedures
OPERATIONS

App security, IR, supply chain.

Application Security

  • Secure R+D with threat modelling, SAST/DAST/SCA, and peer review
  • Secrets management, hardening baselines, and dependency control
  • Monitoring of error rates, security events, and anomaly signals

Incident Response

  • Defined severity levels and time-bound SLAs for triage and communication
  • Forensics-ready logging and evidence preservation procedures
  • Post-incident reviews and corrective actions

Supply Chain & Platform

  • Vendor risk assessments and least-privilege integrations
  • Dependency and container scanning; provenance and signing where applicable
  • Infrastructure as code, immutable builds, and monitored changes
CONTRACTING & COMPLIANCE

Standard templates, ready under NDA.

What your legal and DPO teams pre-clear before the scoping call. EU SCCs already annexed — no bespoke redlining required.

  • Master Services Agreement (MSA)Commercial frame: payment terms, IP ownership, liability, term & termination.
  • Data Processing Agreement (DPA)GDPR Article 28 compliant. Roles, security measures, sub-processor approvals, breach notification, return / deletion at engagement close.
  • EU Standard Contractual ClausesCommission Implementing Decision 2021/914, Module 2: Controller-to-Processor. Annexed to the DPA.
  • Statement of Work (SoW) templatePer-engagement scope, deliverables, timeline, and rules of engagement.
Available under NDA on request. Email privacy@grillisecurity.com with subject MSA-DPA REQUEST — [your organisation]. Mutual NDA executed and full package returned within one business day.
PERSONNEL VETTING

Criminal background check on every hire — Karistusregister (Estonian criminal records register) for EU personnel, equivalent national check for non-EU personnel. Refreshed annually. Least-privilege access enforced throughout the engagement; revoked same-day at close.

VULNERABILITY DISCLOSURE

We welcome responsible disclosure. Email security@grillisecurity.com. We acknowledge reports within 72 hours.

DATA RESIDENCY

All data processed within the EU by default. Website and form processing run in EU cloud infrastructure. On-premises infrastructure is used for sensitive and air-gapped engagements. Alternative processing regions are available where explicitly required and agreed in writing.

ISMS EVIDENCE

ISO/IEC 27001:2022-conformant information security management system. Statement of Applicability, Risk Treatment Plan, and supporting policy library available under NDA on request. privacy@grillisecurity.com.

RESEARCH PORTFOLIO

Engagement work is performed under NDA and not publicly attributed. Anonymised research summaries, redacted findings, and CVE coordination history available on request to qualified buyers. hello@grillisecurity.com.

DORA READINESS

For financial-entity buyers under EU DORA (in force since 17 January 2025): our standard MSA includes the Article 30 contractual provisions — audit and inspection rights, defined exit strategy, subcontracting transparency, cooperation with competent authorities, and ICT risk-management commitments. We are prepared to be entered into your Article 28(3) register of information, and our red-team methodology is designed to support Threat-Led Penetration Testing under Article 26 / TIBER-EU. The DORA-readiness pack is bundled with the MSA + DPA package on request.

ACTIVE INCIDENT?