How we protect your data.
A mature security programme grounded in international standards and practical controls. This page summarises our posture and how to contact our security team.
Defense-in-depth
Layered controls across identity, network, application, and data.
Encryption
TLS 1.2+ in transit, industry-standard encryption at rest.
Change control
Peer review, CI/CD checks, and staged rollouts for production changes.
Governance, identity, data.
Governance & Standards
- Aligned to ISO/IEC 27001:2022 control families and secure R+D practices
- Risk management with regular reviews and management oversight
- Policies for access, acceptable use, secure coding, change, and incident response
Identity & Access
- Least-privilege, role-based access and JIT elevation where applicable
- Phishing-resistant MFA (FIDO2/WebAuthn) enforced on administrative and production systems
- Segregated environments and logging of privileged actions
Data Protection
- Encryption in transit (TLS 1.2+) and at rest (AES-256, KMS-managed keys in eu-central-1)
- Data minimisation and time-bound retention by default
- Backups with integrity checks and tested restoration procedures
App security, IR, supply chain.
Application Security
- Secure R+D with threat modelling, SAST/DAST/SCA, and peer review
- Secrets management, hardening baselines, and dependency control
- Monitoring of error rates, security events, and anomaly signals
Incident Response
- Defined severity levels and time-bound SLAs for triage and communication
- Forensics-ready logging and evidence preservation procedures
- Post-incident reviews and corrective actions
Supply Chain & Platform
- Vendor risk assessments and least-privilege integrations
- Dependency and container scanning; provenance and signing where applicable
- Infrastructure as code, immutable builds, and monitored changes
Standard templates, ready under NDA.
What your legal and DPO teams pre-clear before the scoping call. EU SCCs already annexed — no bespoke redlining required.
- ✓Master Services Agreement (MSA)Commercial frame: payment terms, IP ownership, liability, term & termination.
- ✓Data Processing Agreement (DPA)GDPR Article 28 compliant. Roles, security measures, sub-processor approvals, breach notification, return / deletion at engagement close.
- ✓EU Standard Contractual ClausesCommission Implementing Decision 2021/914, Module 2: Controller-to-Processor. Annexed to the DPA.
- ✓Statement of Work (SoW) templatePer-engagement scope, deliverables, timeline, and rules of engagement.
MSA-DPA REQUEST — [your organisation]. Mutual NDA executed and full package returned within one business day.Criminal background check on every hire — Karistusregister (Estonian criminal records register) for EU personnel, equivalent national check for non-EU personnel. Refreshed annually. Least-privilege access enforced throughout the engagement; revoked same-day at close.
We welcome responsible disclosure. Email security@grillisecurity.com. We acknowledge reports within 72 hours.
All data processed within the EU by default. Website and form processing run in EU cloud infrastructure. On-premises infrastructure is used for sensitive and air-gapped engagements. Alternative processing regions are available where explicitly required and agreed in writing.
ISO/IEC 27001:2022-conformant information security management system. Statement of Applicability, Risk Treatment Plan, and supporting policy library available under NDA on request. privacy@grillisecurity.com.
Engagement work is performed under NDA and not publicly attributed. Anonymised research summaries, redacted findings, and CVE coordination history available on request to qualified buyers. hello@grillisecurity.com.
For financial-entity buyers under EU DORA (in force since 17 January 2025): our standard MSA includes the Article 30 contractual provisions — audit and inspection rights, defined exit strategy, subcontracting transparency, cooperation with competent authorities, and ICT risk-management commitments. We are prepared to be entered into your Article 28(3) register of information, and our red-team methodology is designed to support Threat-Led Penetration Testing under Article 26 / TIBER-EU. The DORA-readiness pack is bundled with the MSA + DPA package on request.
