Zero-trust edge
Every request to production clears an identity-aware access policy at the edge before it reaches application logic — nothing gets a free pass on network location alone.
Security posture
Zero-trust access, layered authentication, rotating credentials, a tamper-evident audit trail, and per-tenant rate limiting protect every request to the production memory surface. The certifications we don’t hold yet are listed below, in plain language — not buried in a data room.
1. How we protect production access
A single compromised layer should never be enough on its own. Every request clears identity, transport, and origin checks in sequence.
Every request to production clears an identity-aware access policy at the edge before it reaches application logic — nothing gets a free pass on network location alone.
A second, independent authentication check runs at the origin. A single misconfigured layer does not hand over access on its own.
Credentials with access to production rotate automatically on a 30-day cycle, so a leaked credential has a short window instead of a long one.
Production has no direct public network path. Connections originate outbound, over an authenticated tunnel, to the edge — not the other way around.
2. Encryption
Every request to production is encrypted end to end with TLS. There is no plaintext path to the origin.
Production data lives on our cloud storage platform, which encrypts stored data at rest by default.
Access identifiers are recorded for audit purposes; the underlying secrets and tokens themselves are never written to a log. This is enforced with an automated check, not a policy on paper.
3. Tamper-evident audit trail
An audit trail is only useful if it can’t be quietly rewritten. Ours is designed to fail loudly the moment something doesn’t check out.
Consequential actions are written to a single, append-only audit log the moment they happen.
Each entry is cryptographically linked to the one before it, so tampering with any record breaks the chain forward of that point.
If the chain is ever damaged, the system stops and flags it rather than silently starting a new chain and rendering an all-clear.
4. Rate limiting & isolation
Usage limits are enforced per credential, not by network address — so one noisy or compromised connector can’t exhaust a shared budget.
One tenant hitting its limit has no effect on another tenant’s traffic. A problem in one workspace stays contained to that workspace.
5. Certifications & assurance
We are an early-stage company and don’t yet hold a SOC 2 report, ISO 27001 certification, FedRAMP authorization, or a published third-party penetration test. There is no 24/7 on-call rotation today — response is best-effort. We would rather state that plainly here than have it surface for the first time in a procurement review.
Those audits and certifications are the next things we fund as we take on enterprise and federal engagements — the control posture on this page (zero-trust access, credential rotation, tamper-evident audit logging) was built to be assessment-ready when that time comes.
6. Report a vulnerability
Email security@griff.run with a description, reproduction steps, the affected URL or artifact, and any timeline constraints we should respect. We’ll acknowledge receipt, work the issue in good faith, and credit you in any public remediation note unless you’d rather stay anonymous. We don’t currently run a paid bug bounty, and we won’t pursue legal action against good-faith research that respects the boundaries below.
Ground rules
Deeper evidence, under NDA
Production identity, messaging, billing, and partner-integration evidence are documented for qualified security and procurement reviewers under NDA. For procurement-grade control mapping and supply-chain detail, see /federal. For our full external review history, see /trust.