GRADE · SecurityHow we handle your data
Written for the IT, legal, and procurement people who evaluate vendors. Questions or security reviews: security@gradeltd.com — we answer questionnaires directly.
The short version
GRADE processes two kinds of customer content: published product documentation and inbound inquiry text. Each customer's data is isolated to that customer, is never used to serve or train for anyone else without written consent, and is returned or deleted within 30 days of exit. Every AI-drafted output requires explicit human approval before it goes anywhere.
Architecture choices that reduce risk
- Deterministic screening. Hard requirements (regulatory limits, specifications) are enforced as database filters — not model judgment. Every elimination carries an auditable reason.
- Verbatim provenance. Extracted values must trace to an exact source sentence in the customer's own documents; values without a source are rejected, not stored.
- Human-in-the-loop by design. The system drafts; a named representative reviews, edits, and approves. Nothing sends automatically.
- Release gating. Behavior changes only through versioned releases that pass an automated evaluation suite, including an independently verified zero-tolerance check for constraint violations and a permanent battery of prompt-injection tests.
Operational controls
- Encrypted transport (TLS) on all endpoints; access-controlled application endpoints; rate limiting; structured audit logging that excludes credentials and secrets.
- Least-privilege, scoped credentials for infrastructure; secrets kept out of source control; routine dependency vulnerability scanning; database backups.
- Subprocessors: model inference via Anthropic under contractual confidentiality; hosting on established cloud infrastructure (Railway, Cloudflare).
What we don't claim yet
We are an early-stage company and say so plainly: we do not yet hold SOC 2 or ISO 27001 certification — formal SOC 2 readiness is a funded item on our roadmap. Until then, this page states our actual posture, and we will walk your team through any of it, including our evaluation results, on request.
Reporting a vulnerability
Email security@gradeltd.com with details. We acknowledge promptly, investigate in good faith, and will not pursue action against good-faith research.
← Back to gradeltd.com