Trust Center

Security and privacy, built for regulated energy data.

Utilities and enterprises trust Gridleaf with sensitive grid, siting, and market data. Independent attestations, layered controls, and evidence for every claim on this page.

Request security artifactsView attestations
SOC 2 Type 1 · SensibaVAPT · BlueTeamersUS-hosted · Tenant isolated
Independently attested security posture
Attestations & Certifications

Third parties have looked under the hood.

SOC 2 Type I

SOC 2 Type 1

Attested
Audited by Sensiba LLP

Independent attestation against AICPA Trust Services Criteria — security, availability, and confidentiality.

Report available under NDA
VAPT Certified

VAPT Certification

Certified
Audited by BlueTeamers

Independent Vulnerability Assessment and Penetration Testing across platform, APIs, and MCP surface.

Executive summary available under NDA
NIST · ISO · CIS

Aligned Frameworks

Mapped
Audited by NIST CSF · ISO 27001 · CIS Controls

Controls mapped to NIST CSF, ISO/IEC 27001 Annex A, and CIS Controls v8.

Control mapping matrix on request
Our Principles

Four principles behind every control.

Defense in depth

Layered controls across network, identity, application, and data — no single point of failure.

Least privilege

Production access is gated, time-bound, and logged. No standing credentials to customer data.

Your data stays yours

Never sold. Never used to train generalized AI models without explicit written consent.

Evidence over assertion

Every control is backed by auditable evidence and third-party reports.

Reference Architecture

Segmented, observable, recoverable.

WAF-protected edge · authenticated identity plane · tenant-scoped services · encrypted, multi-AZ data. Admin systems on a segmented network with hardware MFA.

Gridleaf reference security architecture — five-layer diagram
Controls

How we protect your data, end to end.

Encryption

  • TLS 1.2+ in transit; HSTS preloaded.
  • AES-256 at rest across databases, object storage, and backups.
  • Per-tenant row-level isolation; CMEK available for enterprise.

Identity & access

  • SSO via OIDC and SAML 2.0 (Okta, Azure AD, Google Workspace).
  • MFA required for all admin and production-privileged accounts.
  • RBAC with scoped API keys; SCIM provisioning for enterprise.

Infrastructure

  • Hosted on SOC 2 / ISO 27001 certified US cloud providers.
  • Infrastructure-as-code with peer-reviewed, immutable deploys.
  • Hardened container images with CVE scanning on every build.

Network & perimeter

  • WAF, rate limiting, and bot protection on all public endpoints.
  • Private networking between tiers; databases have no public ingress.
  • DDoS protection via upstream CDN and cloud-native mitigations.

Secure development

  • Mandatory peer review; protected branches and signed commits.
  • SAST, SCA, and secret scanning on every pull request.
  • Threat modeling for new services and architectural changes.

Monitoring & detection

  • Tamper-evident audit logs for auth, authz, and data access.
  • Anomaly monitoring for API abuse and privilege escalation.
  • On-call engineering with defined SLAs for security events.

Incident response

  • Documented IR plan with defined severities and roles.
  • Customer notification within 72 hours per GDPR / DPDP guidance.
  • Post-incident reviews shared with affected customers under NDA.

Vulnerability management

  • Third-party VAPT by BlueTeamers; remediation SLAs by severity.
  • Continuous internal scanning across infra and app layers.
  • Responsible disclosure at security@gridleaf.org with safe harbor.

Data handling & isolation

  • Logical tenant isolation — no commingling across customers.
  • Three-tier classification: Public, Confidential, Critical Infrastructure.
  • Configurable retention; deletion within 30 days of verified request.

AI & model governance

  • No training on customer data without explicit written consent.
  • Advisory outputs — decision-support, never autonomous control.
  • Prompt and output logs scoped and retained per tenant controls.

Continuity & resilience

  • Automated encrypted backups with periodic restore testing.
  • Defined RPO / RTO targets and tested DR runbooks.
  • Multi-AZ deployments for primary data plane services.

Vendor & subprocessor

  • Security and privacy review before any subprocessor onboards.
  • Subprocessor list available on request; updated on material change.
  • DPAs with SCCs available for EU and UK customers.
Regulatory Posture

Where we stand on the frameworks you care about.

SOC 2 (Type 1)
Attested by Sensiba LLP — Security, Availability, and Confidentiality.
GDPR
DPA with SCCs, DPO contact, data subject rights, 72-hour breach notification.
CCPA / CPRA
Consumer rights workflow; no sale of personal information.
India DPDP Act
Data fiduciary obligations, consent manager compatibility.
NIST CSF
Identify, Protect, Detect, Respond, Recover functions mapped to controls.
ISO/IEC 27001 (aligned)
Annex A coverage maintained; formal certification on the roadmap.
HIPAA
Not a HIPAA-covered entity; Gridleaf does not process PHI.
FERC / NERC CIP
Decision-support only — no connection to BES cyber systems, no CIP applicability.
Due Diligence

Artifacts available for review.

Request under NDA. Vendor questionnaires turned around in five business days.

SOC 2 Type 1 report (Sensiba)
VAPT executive summary (BlueTeamers)
Architecture & data flow diagram
Subprocessor list
Data Processing Addendum (DPA) with SCCs
Security questionnaire (SIG Lite / CAIQ)
Business continuity summary
Incident response plan summary
Request under NDA

Responsible disclosure

Found a vulnerability? Test only accounts you own, avoid unnecessary data access, and give us a window to remediate before public disclosure. Good-faith research gets safe harbor.

security@gridleaf.org

Working with your security team

Vendor questionnaires (SIG, CAIQ), DPAs, and architecture reviews with CISO and procurement teams.

security@gridleaf.org · Security teamdpo@gridleaf.org · Data Protection Officerprivacy@gridleaf.org · Privacy requests

Summary only. Authoritative terms live in your MSA, DPA, and exhibits.