Security · Controls
An honest inventory of GRID's security posture. Written so a procurement team can answer 80% of their diligence questions without a call. Each control lists what's actually running in production, not what's in a deck. If something you need isn't here and isn't listed as planned, write to us — most enterprise gaps close in the first contract.
Role-based access within Environments
Every Environment has an Owner plus memberships scoped to Admin, Contributor, or Viewer. The API enforces owner-only writes on Environment-level mutations.
Evidence: EnvironmentMembership model · assertOwnsEnvironment helper
Per-route role enforcement
Route-level role checks (ADMIN / CONTRIBUTOR / VIEWER) are being fanned out from the current Environment-owner gate to all downstream routes.
SSO via OIDC
Google and Microsoft sign-in available; additional OIDC providers (Okta, Azure AD) integrate via the same Auth.js surface.
SCIM 2.0 provisioning
Automated directory provisioning for enterprise identity providers. Built on demand for enterprise deals that require it.
Audit log
Every workflow, execution, member change, integration change, and Atrium query is recorded in the AuditLog with before/after JSON diffs.
Evidence: AuditLog model · /audit page · CSV export endpoint
Autonomous action trace
Every Atrium action persists a KernelTrace including tools called, data read, and the rationale. Surface-facing “why did Atrium do this?” panel exposes the trace inline.
Evidence: KernelTrace · IntelligenceLog models
Tamper-evident monthly reports
Signed monthly ROI reports for finance review. Hash of the month’s AuditLog entries embedded in the PDF so the report is verifiable after the fact.
Encryption in transit
TLS 1.2+ for all HTTP traffic. HSTS with preload.
Encryption at rest
Primary datastore is encrypted at rest via the managed provider. Secrets (integration tokens, email verification, invite tokens) are stored as SHA-256 hashes or envelope-encrypted blobs.
Evidence: lib/email-verification.ts · lib/invitations.ts · lib/keys
Customer-managed keys (CMK / BYOK)
Available on enterprise plans. Built on request for the first customer that contractually requires it.
Consent log
Every consent event (signup, marketing, analytics, data-processing, third-party share) is recorded with policy version, hashed IP, and truncated user-agent. Re-consent triggers on policy-version bumps.
Evidence: ConsentLog model · lib/consent/log.ts
Scoped consent per data class
Consent scoped by integration and data class (e.g., Gmail read vs Gmail send). The UI exposes this per-integration rather than as a single global toggle.
Data residency
Regional data planes for EU / UK / US. Planned for the first enterprise deal whose MSA requires it.
Reversible-by-default autonomy
Every autonomous action at Level 3+ creates a compensating PendingAction that can be undone within a 24-hour window.
Evidence: PendingAction model · AutonomyConfig model
Per-scope autonomy (5 levels)
Observe → Suggest → Act & Notify → Autonomous → Self-Direct. Configurable per Workflow and per System. Recommendation engine surfaces upgrades based on approval rate.
Evidence: AutonomyConfig · Atrium Trust Score
Multi-step approval chains
ApprovalRequest supports multi-step chains with per-step reviewer assignment, status, and comments.
Dependency monitoring
Automated CVE scanning on every push via the hosting provider’s advisory feed. Dependabot-equivalent PRs for high-severity CVEs.
Responsible disclosure
Public security.txt and disclosure page. 48-hour acknowledgement commitment.
Evidence: /security · /.well-known/security.txt
Rate limiting
Per-identity rate limiting on all authenticated API routes. Limits are per-role and can be lifted per-customer.
Evidence: lib/rate-limit.ts · rateLimitApi
Backup & recovery
Automated daily Postgres snapshots with 30-day retention. Restore rehearsed monthly.
Need a control that isn't listed, or an expedited SOC2 Type II? Email security@grid.app. The public disclosure process lives on the security page.