Granite
Open menu

Security & compliance

Security is fundamental to everything we build

Granite holds sensitive lease, financial, and contract data for enterprise tenants. The platform is built to an enterprise correctness bar from day one — EU-resident, encrypted, auditable, and GDPR-first.

Security at a glance

EU data residency

Stored and processed in the EU — enforced, not configured.

Encryption everywhere

AES-256 at rest, TLS 1.3 in transit, customer-managed keys.

Identity & access

Federated SSO, MFA, and least-privilege roles.

Audit trail

Every change and access recorded to an immutable log.

Responsible AI

Processed in the EU; never used to train models.

Tenant isolation

Isolated at the database layer, beneath the application.

Data residency

Your data stays in the EU

EU data residency is a hard requirement, enforced by infrastructure — not a per-customer configuration option.

  • All customer data — the database, documents, and application logs — is stored in EU regions, with backups held in an EU multi-region.
  • Residency is enforced by an organisation-level location policy, so no resource can be created outside the EU by mistake.
  • The identity provider is self-hosted in the EU and operated by Granite, so it is not a third-party processor of your data.
  • Model inference runs in the EU. No customer data is stored or processed outside the EU.

Identity & access

Enterprise SSO, MFA, and least-privilege access

Access is federated to your own identity provider and enforced top to bottom — from sign-in to the database row.

  • Single sign-on via SAML 2.0 or OIDC federation to your identity provider, so account provisioning and offboarding stay under your control.
  • Multi-factor authentication — TOTP, WebAuthn, and passkeys — on a self-hosted identity provider.
  • Role-based, least-privilege access control, with no standing access beyond what a role grants.
  • Tenant data is isolated at the database layer with row-level security, beneath the application — so isolation holds regardless of application code.
  • Every access and mutating action is recorded with the actor, tenant, and action; operator database access is logged per query.

Data protection & GDPR

GDPR is foundational, not a roadmap item

Granite processes your data as a processor under a Data Processing Agreement entered into with every customer; you remain the controller.

  • Processing is on the basis of our contract with you (Article 6(1)(b)), and the purpose of each feature is documented.
  • Data is minimised by design: Granite holds lease and portfolio data, and deliberately does not handle special-category or sensitive personal data.
  • Data-subject rights — access, rectification, and erasure — are supported under the DPA.
  • Lease documents are soft-deleted to preserve the audit trail, with a verified hard-delete path for erasure requests where no legal retention obligation applies.

The website's own privacy practices are described in our Privacy Policy and DPA & sub-processors page; the product platform is covered by the customer DPA.

Responsible AI

AI that acts on your record — with a human at the gate

Granite's AI works on your own data inside a closed system. It is built to the same correctness bar as the system of record.

  • Customer data is processed in the EU and is never used to train foundation models — yours or anyone else's.
  • Nothing the AI produces enters the system of record without human approval.
  • AI-generated output is clearly labelled, including when an answer could not be independently verified, so people always know what came from a model.
  • Granite runs none of the AI uses the EU AI Act prohibits, and no employment, profiling, or biometric AI.

Reliability & continuity

Built to recover

The platform runs with regional high availability and can be rebuilt from version-controlled infrastructure.

  • The database runs with regional high availability across EU zones.
  • Automated daily backups and continuous point-in-time recovery, retained within the EU.
  • Infrastructure is declarative and version-controlled, so the environment can be rebuilt reproducibly rather than from memory.

What we don't do

Trust is also about restraint

  • No customer data stored or processed outside the EU.
  • No special-category or sensitive personal data — no health, biometric, or similar.
  • No training of shared AI models on your data.
  • No card or payment data — Granite holds none, so it carries no PCI scope.
  • No passwords for us to breach — sign-in is federated to your identity provider.

Compliance & certifications

  • GDPR

    By design

    EU data residency, lawful-basis and DPA tracking, and data-subject rights are built in — GDPR is foundational, not a future milestone.

  • SOC 2 Type II

    In progress

    Controls and evidence are being implemented to the SOC 2 framework ahead of a Type II audit; reports will be available to enterprise customers under NDA once the programme is operational.

  • ISO 27001

    Aligned

    Our controls are aligned to ISO 27001, which overlaps substantially with SOC 2; formal certification will follow as customers require it.

  • Access control

    By design

    Tenant data is isolated at the database layer with row-level security, layered with role-based, least-privilege access controls.

  • Independent testing

    Planned

    Independent penetration testing and annual third-party security audits run as part of the SOC 2 programme.

For procurement

Request our security package

For enterprise procurement, we provide our Data Processing Agreement, the current product sub-processor list, completed security questionnaires, and audit reports under NDA.

Contact sales

Reach sales@granitestrata.com for procurement, or security@granitestrata.com for security questions.