Gracifi Data & Security Policy

Overview
At Gracifi, protecting the privacy and security of our customers' data is our top priority. We’ve invested in strong security practices across our systems, products, and processes. We work closely with our legal and compliance teams to ensure that we meet the highest industry standards in security and data protection.

Our Security Objectives We follow best practices in the SaaS industry to build a robust security framework. Our main objectives are:

~ Customer Trust and Protection:
Deliver exceptional products while safeguarding the confidentiality of customer data.

~ Service Availability and Continuity:
Maintain uninterrupted service and minimize disruptions.

~ Data Integrity:
Ensure that customer information remains accurate and secure.

~ Compliance with Standards:
Strive to meet or exceed industry compliance requirements.

Security Measures

To protect the data entrusted to us, Gracifi uses multi-layered administrative, technical, and physical security controls.

Infrastructure Security

~ Cloud Hosting Providers:
Gracifi uses reputable cloud hosting providers like Google Cloud and Amazon Web Services (AWS) to host our product infrastructure. We rely on their security programs, compliance certifications, and data redundancy measures.

~ Network Security:
Our product infrastructure is protected by firewalls, security groups, and network-level access controls to prevent unauthorized access.

~ Configuration Management:
Our systems use automated configuration management, ensuring consistent, secure configurations for all servers and instances.

Application Security

~ Web Application Defenses:
We use firewalls and security monitoring tools to protect customer data and prevent malicious traffic. We follow OWASP
Top 10 recommendations to ensure application security.

~ Code Management:
Our development process includes continuous testing, code reviews, and vulnerability scans. We conduct annual penetration testing to identify and fix potential security risks.

~ Data Encryption:
We encrypt all data in transit and at rest using industry-standard protocols such as TLS (1.2 or 1.3) and AES-256. Customer passwords are also hashed and stored securely.

Data Backup & Recovery

~ Backups:
We regularly back up customer data and store it securely. These backups are monitored and protected by access controls to ensure data integrity.

~ Disaster Recovery:
Gracifi’s infrastructure is designed with redundancy across multiple availability zones, ensuring service continuity. In case of a failure, our recovery plans ensure minimal downtime.

Identity & Access Control

~ User Management:
Gracifi allows customers to create and manage user accounts with specific roles and privileges. We also enforce multi-factor authentication (MFA) for all accounts to enhance security.

~ Employee Access Control:
Gracifi employees have limited access to production systems and data. Access is controlled by role-based access control (RBAC) and regularly audited to ensure compliance.

Compliance & Data Retention

~ Compliance:
Gracifi complies with relevant data protection regulations and standards. While we don’t store payment card data, we use PCI-compliant processors for secure payment handling.

~ Data Retention:
We retain customer data for as long as the account is active. Customers can request data deletion in accordance with applicable privacy laws.

Security Awareness & Training

Employee Training: All employees undergo security awareness training to understand data protection best practices and mitigate risks such as phishing attacks.

Vendor Management: Gracifi ensures that any third-party providers maintain appropriate security measures as part of our vendor contracts.

Breach Response & Notification

In the event of a data breach, Gracifi will notify affected customers in accordance with applicable legal requirements and provide steps for mitigating any potential impact.

Document Scope This policy outlines Gracifi's approach to data security and privacy. It is intended as an informational resource and is subject to change as we continue to improve our security practices.