Trust Center

Security built for energy data.

SOC 2 Type 1 attested. Independent VAPT complete. Encryption, tenant isolation, and controls designed for utility-grade diligence.

Request security materialsSecurity FAQ
SOC 2 Type 1Independent VAPTSOC 2 Type 2 in progress
Gridleaf security posture
Independent Validation

Evidence, independently reviewed.

SOC 2 Type I

SOC 2 Type 1

Completed
Sprinto-supported program

Attested against AICPA Trust Services Criteria — security, availability, confidentiality.

Report available under NDA
VAPT Certified

Independent VAPT

Completed
BlueTeamers

Vulnerability assessment and penetration testing across application and API surface.

Executive summary under NDA
NIST · ISO · CIS

Framework Alignment

In Progress
NIST CSF · ISO/IEC 27001 · CIS Controls

Controls designed against frameworks utility teams and consulting firms already use.

Mapping summary on request
Principles

How we operate.

Clear boundaries

Decision support and analytics. Data systems stay separate from operational control environments.

Least privilege

Production access is limited, reviewed, and logged. Standing privileges are kept to a minimum.

Your data stays yours

Customer data is never sold and never used to train generalized AI without written consent.

Honest posture

We publish what is validated, what is implemented, and what is still maturing.

Buyer Context

Built for utility diligence.

For utilities

A decision-support and analytics platform with clear data boundaries and access patterns.

For consultants

We complete questionnaires and support architecture reviews for your utility clients.

For procurement

Straightforward diligence: what is complete, what is in progress, what is available under NDA.

Reference Architecture

Segmented by design.

Edge protections, identity, tenant-aware application services, and encrypted data stores — each with boundaries appropriate for regulated energy workloads.

Gridleaf reference security architecture
Controls

How we reduce risk.

Encryption

  • TLS 1.2+ in transit across services and APIs.
  • Encryption at rest across databases, object storage, and backups.
  • Tenant-scoped access; key-management options for enterprise.

Identity & access

  • Enterprise identity integration on request.
  • MFA required for privileged internal accounts.
  • Role-based access across product and operational workflows.

Infrastructure

  • Hosted on major cloud providers with strong baseline certifications.
  • Changes managed via code, review, and controlled deploys.
  • Build pipelines include dependency and vulnerability checks.

Network & exposure

  • Edge protections: TLS, rate limiting, perimeter filtering.
  • Sensitive internal services kept off the public internet.
  • Network segmentation to reduce attack surface.

Secure development

  • Peer review on every code change before release.
  • Branch protection, dependency review, and secret scanning.
  • Security review on new features and architecture changes.

Monitoring & logging

  • Audit and operational logs for auth, access, and key activity.
  • Monitoring surfaces suspicious behavior and anomalies.
  • On-call response and escalation paths.

Incident response

  • Documented process with internal roles and severity levels.
  • Customer notification per contract and law.
  • Post-incident review drives corrective action.

Vulnerability management

  • Independent VAPT performed periodically.
  • Internal scanning across application and infrastructure layers.
  • Good-faith disclosure at security@gridleaf.org.

Tenant isolation

  • Logical separation via tenant-aware design.
  • Data classified by sensitivity and handled accordingly.
  • Retention and deletion workflows on request.

AI & model governance

  • Customer data excluded from general model training absent written consent.
  • Gridleaf provides decision support only.
  • Prompt and output handling scoped per product and customer need.

Resilience

  • Encrypted, tested backups.
  • Defined recovery procedures and priorities.
  • Core services designed to reduce single points of failure.

Vendor governance

  • Material subprocessors reviewed before onboarding.
  • Subprocessor list shared during diligence.
  • DPAs and supporting legal documentation available.
Frameworks & Regulation

Where we stand.

SOC 2 Type 1
Completed. Validates control design at a point in time.
SOC 2 Type 2
In progress. Observation period underway.
NIST CSF
Used as the reference model for organizing controls.
ISO/IEC 27001
Aligned with ISO-style expectations; formal certification on the roadmap.
ISO/IEC 27701
Privacy practices shaped by recognized guidance.
ISO/IEC 27017 / 27018
Cloud and hosted-data handling informed by relevant guidance.
GDPR
DPAs, SCCs, and data-subject request support where applicable.
CCPA / CPRA
No sale of personal information; service-provider obligations supported.
India DPDP
Data handling shaped to support customer DPDP obligations.
NERC CIP
Decision-support platform; out of scope for BES cyber system applicability.
Due Diligence

Materials under NDA.

Standard documentation for procurement, security, and legal review.

SOC 2 Type 1 report
VAPT executive summary
Architecture and data flow overview
Subprocessor list
Data Processing Addendum (DPA)
Security questionnaire pack
Incident response summary
Business continuity summary
Request review package
Security FAQ

Common questions.

Do you have SOC 2?

SOC 2 Type 1 is complete. Type 2 is in progress.

Are you ISO 27001 certified?

Aligned with ISO expectations. Formal certification is on the roadmap.

Do you perform penetration testing?

Yes. Independent VAPT, with remediation tracked by severity. Summary under NDA.

Is customer data encrypted?

In transit and at rest across storage and backups.

How do you isolate customer data?

Tenant-aware design with logical isolation across application and data layers.

Do you use customer data to train AI models?

Only with explicit written consent.

Do you support SSO and MFA?

Enterprise identity integration on request. MFA required for privileged access.

Do you connect to SCADA, EMS, or ADMS?

Gridleaf is a decision-support platform. Integrations, where they exist, are reviewed per customer.

Are you suitable for utility use cases?

Yes for analytics, planning, and decision support.

Can you support consulting firms with pass-through obligations?

Yes. We handle diligence, questionnaires, and architecture reviews on behalf of end clients.

What happens during a security incident?

Documented response with containment, investigation, and customer notification per contract and law.

Can you complete a vendor security questionnaire?

Yes. SIG, CAIQ, and custom formats supported.

What can you share during diligence?

Under NDA: SOC 2 Type 1 report, VAPT summary, architecture overview, DPA, and subprocessor list.

Responsible disclosure

Test only assets you are authorized to access. Give us a reasonable window to remediate before public disclosure. Good-faith research gets safe harbor.

security@gridleaf.org

Security team

Reviews with security, procurement, legal, and delivery teams.

security@gridleaf.orgprivacy@gridleaf.org

Summary only. Contractual terms live in the MSA, DPA, and exhibits.