This Security Statement describes the technical and organisational measures GreyScape.ai (operated by KARRD Services FZCO) has implemented to protect Customer Data. It is incorporated by reference into our DPA and provides the detail required by DPA Section 5.
Security is not a destination — it's an ongoing engineering practice. We update this Statement whenever the controls listed below change in a material way; the “Last updated” date at the top of the page reflects the most recent revision.
1. Encryption
1.1 In transit
Every connection between a user's browser and the Service is encrypted using TLS 1.2 or TLS 1.3, with modern cipher suites only. We renew TLS certificates automatically through our hosting and edge providers; we do not accept HTTP traffic on the production domain.
1.2 At rest
The PostgreSQL database is encrypted at rest by the underlying managed database service (block-level encryption). On top of that, every credential we receive from a Customer (provider API keys, identity-provider tokens, BYOK enrolment payloads) is wrapped in AES-256-GCM envelope encryption under a key controlled by GreyScape.ai before being persisted. Plaintext credentials never reach the application logs and are never displayed in the user interface.
1.3 Backups
Continuous WAL-based point-in-time recovery is maintained by the managed Postgres provider. Backup data inherits the same at-rest encryption guarantees.
2. Access controls
- Customer accounts. Sign-in is brokered by WorkOS AuthKit. Customers authenticate via their organisation's identity provider (Google Workspace, Microsoft 365, Apple, GitHub), inheriting any multi-factor authentication and conditional-access policies enforced by that provider. GreyScape.ai never stores passwords.
- Role-based access within the Service. Each tenant workspace has owners, admins, finance admins, IT admins, approvers, members, and viewers. Permissions are enforced server-side on every request.
- Operator (KARRD personnel) access. Production access requires authentication to a separate system-admin portal with a distinct credential and shorter session lifetime (24 hours). Production database credentials are stored in our hosting provider's secret manager and rotated periodically.
- Principle of least privilege. Access to production data is granted only to engineering personnel who require it for incident response or product delivery, and only for as long as needed.
3. Audit logging
Every administrative action performed in the Service — configuration changes, approval decisions, key issuance, member invitations, policy edits — is recorded in an immutable audit log keyed to the acting user and the affected tenant. Customers can review their own audit log from within the Service; the GreyScape.ai operator can review the cross-tenant audit log from the operator portal. Audit log entries are retained for at least two years.
4. Vulnerability management
- Dependency monitoring. The codebase is scanned continuously for known vulnerabilities in third-party packages; high and critical severity advisories are remediated promptly.
- Application security review. Changes to the codebase are reviewed before merge; security-sensitive areas (authentication, encryption, RBAC, data export) receive extra scrutiny.
- Coordinated disclosure. If you find a security issue, please report it to [email protected] before disclosing publicly. We acknowledge reports within 48 hours and aim to remediate confirmed issues within 30 days (sooner for critical issues). We do not currently run a paid bug bounty programme but acknowledge contributions in our security advisories where the reporter agrees.
5. Incident response
We maintain a written incident-response playbook covering detection, containment, eradication, recovery, and lessons-learned phases. In the event of a confirmed personal-data breach, GreyScape.ai will notify affected Customers without undue delay, and in any event within 48 hours of becoming aware, in line with the obligations set out in our DPA Section 8.
6. Business continuity
The Service runs on a managed cloud platform with continuous backups and the ability to roll forward to any point-in-time within the configured WAL retention window. We have run, and periodically re-run, recovery rehearsals to ensure we can restore service within our recovery time objective.
- Recovery time objective (RTO): 4 hours for production restoration.
- Recovery point objective (RPO): 1 hour of data loss in worst-case scenarios.
These targets reflect the beta posture; we expect them to tighten as the Service moves to general availability.
7. Sub-processor due diligence
Each Sub-processor is selected after a security review and is bound by contractual terms equivalent to the obligations imposed on GreyScape.ai. See /legal/subprocessors for the current list and DPA Section 6 for the change-notice process.
8. Compliance roadmap
- SOC 2 Type I — in progress; target completion mid-2026. The audit covers Security and Confidentiality trust services criteria. We will publish a summary report on completion.
- SOC 2 Type II and ISO/IEC 27001 — targeted after at least six months of post-launch operating evidence.
- GDPR / UAE PDPL alignment — ongoing; covered by the DPA and the Privacy Policy.
9. What we deliberately don't do
- We do not ingest the content of AI prompts, completions, embeddings, training data, or any payload that flows through the AI providers our Customers connect. Only usage metadata.
- We do not embed third-party advertising or cross-site tracking scripts. See our Cookie Policy.
- We do not sell or share personal data with marketing data brokers, ad networks, or data aggregators.
- We do not access Customer Data for product development without explicit Customer consent or anonymisation.
10. Security pack for procurement
For enterprise procurement and vendor-risk teams, we can provide a consolidated security pack including:
- This Security Statement, the DPA, and the Sub-processor list.
- A data-flow diagram showing the path of Customer Data through the Service.
- Our incident-response playbook (redacted where necessary).
- The current SOC 2 audit progress report.
- Our Standard Contractual Clauses execution copy on request.
Request at [email protected] with the name of your organisation and a short note on what you need.
11. Contact
Security questions, vulnerability reports, and procurement enquiries: [email protected].