Security
Security
Grabyo continually reviews its comprehensive security features and undertakes regular audits of its systems and networks to ensure that its data and systems are secured and protected.
Privacy Certifications and Data Protection
Read Grabyo’s Privacy Policy.
For information on our legal and privacy terms, please visit:
Grabyo’s terms of service (United States)
Grabyo’s terms of service (Japan)
Grabyo’s terms of service (Rest of World)
Cloud Security
Data Centre Physical Security
Facilities: Grabyo hosts Service Data primarily in Amazon Web Services (AWS) data centres that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn more about Compliance at AWS.
AWS infrastructure services include backup power, HVAC systems and fire suppression equipment to help protect servers and your data. Learn more about Data Centre Controls at AWS.
On-site Security: AWS on-site security includes a number of features such as security guards, fencing, security video feeds, intrusion detection technology and other security measures. Learn more about AWS physical security.
Data Hosting Location: Grabyo leverages different AWS Regions around the world, with multiple data centres within each region.
Network Security
Protection: Grabyo’s network is protected through the use of key AWS security services and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Network Vulnerability Scanning: Grabyo undertakes network security scanning to gain precise and quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests: In addition to Grabyo’s extensive internal scanning and testing programme, each year Grabyo employs third-party security experts to perform a penetration test across the Grabyo platform.
Intrusion Detection and Prevention: Grabyo’s ingress and egress points are closely monitored to detect unusual behaviour. These systems are configured to automatically alert Grabyo’s security team when incidents lie outside of predetermined thresholds, and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
DDoS Mitigation: The use of AWS scaling and protection tools provide deeper protection along with the standard DDoS protection offered by AWS services.
Logical Access: Access to the Grabyo platform is restricted on a strict least-privilege basis. It is frequently reviewed and monitored, and is controlled by Grabyo’s security team. Anyone accessing the Grabyo platform is required to use multiple factors of authentication.
Security Incident Response: In case of a system alert, Grabyo’s 24/7 teams provide platform operations, network engineering and security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption
Encryption in Transit: All communications with Grabyo UI and APIs are encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Grabyo is secure during transit. Other third-party app, integration or service subscribers may choose to leverage at their own discretion.
Encryption at Rest: Sensitive Data is encrypted at rest in AWS using AES-256 key encryption.
Availability and Continuity
Uptime: The Grabyo platform is architected with resiliency and redundancy in mind, with its servers operated and data stored in a distributed manner across multiple fault tolerant and isolated data centers. This provides for a continuous uptime of service.
Redundancy: Grabyo employs service clustering and network redundancies to eliminate single points of failure. Grabyo’s backup strategy allows it to deliver a high level of service availability, as Service Data is replicated across availability zones.
Disaster Recovery: Grabyo’s Disaster Recovery (DR) programme ensures that its services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, backups, creating Disaster Recovery plans, and testing activities.
Application Security
Secure Development (SDLC)
Secure Code Training: At least annually, Grabyo engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors and Grabyo security controls.
Framework Security Controls: Grabyo leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce its exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Separate Environments: Development and testing environments are logically separated from the Production environment. No Service Data is used in Grabyo’s development or test environments.
Vulnerability Management
Static Code Analysis: The source code repositories for Grabyo’s platform applications are scanned for security issues via its integrated static analysis tooling.
Third-party Penetration Testing: In addition to Grabyo’s extensive internal scanning and testing programme, it employs third-party security experts to perform detailed penetration tests on different applications within its platform.
Product Security
Authentication Security
Authentication Options: Customers may use multi-factor authentication to sign in to Grabyo, using a Time-based One-Time Password (TOTP) given by an authenticator app on iOS or Android mobile devices. MFA can also be enforced for all users for a customer’s account.
Service Credential Storage: Grabyo follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.
Role-based Access Controls: Access to data within Grabyo is governed by role-based access control (RBAC), and can be configured to define access privileges.
Human Resources Security
Policies: Grabyo has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Grabyo information assets.
Training: All employees attend a Security Awareness Training, which is given at hiring and annually thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
Background Checks: Grabyo performs background checks on all new employees in accordance with local laws. These checks are also required to be completed for contractors. The background check may include criminal, education and employment verification.
Confidentiality Agreements: All new hires are required to sign non-disclosure and confidentiality agreements.
For more information on Grabyo’s security policies, get in touch.