GridGuard is built to meet the security expectations of large investor-owned utilities operating under NERC CIP, FERC, and CPUC oversight. Your compliance data is protected by multiple layers of encryption, strict access controls, and US-only infrastructure.
Encryption
Every byte of compliance data is encrypted both in transit and at rest using industry-standard algorithms.
All data transmitted between your browser and GridGuard servers is encrypted using TLS 1.3, the most current and secure transport layer protocol. Older TLS versions (1.0, 1.1) are disabled.
All compliance data, RSAW documents, mitigation plans, and uploaded files stored in our databases and object storage are encrypted at rest using AES-256, the same standard used by US government agencies.
Our managed database instances use transparent data encryption (TDE) at the storage layer, providing an additional encryption boundary independent of application-level controls.
API keys, database credentials, and service tokens are stored in dedicated secrets management systems — never in source code, environment files, or logs. Keys are rotated on a defined schedule.
Data Residency
All infrastructure, storage, and processing is confined to US data centers — critical for utilities with NERC CIP and federal data handling requirements.
All GridGuard infrastructure — compute, databases, object storage, and backups — is hosted exclusively in United States data centers. No customer data is stored or processed outside the US.
We operate in AWS US-East and US-West regions. Both regions are SOC 2 Type II, ISO 27001, and FedRAMP-authorized facilities with physical security controls, redundant power, and 24/7 on-site security.
Automated database backups and point-in-time recovery snapshots are retained within US regions only. Backup retention is 30 days for standard plans and 90 days for enterprise plans.
GridGuard does not transfer customer compliance data to third-party processors outside the United States. All sub-processors handling customer data are US-based and contractually bound to equivalent data protection standards.
Access Controls
Access to compliance data is controlled at every layer — from user roles to infrastructure permissions — following the principle of least privilege.
Every user action is governed by role-based permissions. Organization administrators control who can view, edit, or export compliance data. Granular roles include read-only auditor access for external reviewers.
All user actions — logins, data exports, document edits, and permission changes — are recorded in immutable audit logs with timestamps and IP addresses. Logs are retained for 12 months.
MFA is available for all accounts and enforced by default for administrator roles. We support TOTP authenticator apps and SSO-based MFA through your organization's identity provider.
GridGuard supports SAML 2.0 and OIDC-based SSO integration with enterprise identity providers including Okta, Azure AD, and Ping Identity, enabling centralized access management and automatic deprovisioning.
Incident Response
We maintain a proactive security posture with continuous monitoring, regular testing, and a documented response plan.
In the event of a confirmed data breach affecting your organization's data, we will notify you within 24 hours of discovery, including the nature of the incident, data affected, and remediation steps taken.
We maintain a documented incident response plan with defined roles, escalation paths, and communication templates. The plan is tested annually through tabletop exercises.
We conduct quarterly vulnerability scans and annual penetration tests by independent third-party security firms. Critical findings are remediated within 72 hours; high findings within 14 days.
Our infrastructure is monitored 24/7 for anomalous activity, unauthorized access attempts, and performance degradation. Automated alerts trigger immediate investigation by our security team.
If you have questions about our security practices, wish to report a vulnerability, or need a security questionnaire completed for your procurement process, please contact our security team directly.