GreyScape.ai

Trust

Security, privacy & compliance.

Everything your InfoSec, legal, and procurement teams need — in one place. Send them this URL.

Encryption

TLS 1.2+

In transit + AES-256 at rest

Data residency

EU default

US/UK on request

Auth

WorkOS

SSO + TOTP enforced

Breach SLA

72 hours

Confirmed-incident notification

Who we are

GreyScape.ai is a service of KARRD Services FZCO, a Dubai International Free Zone company at IFZA Business Park, Dubai Silicon Oasis. We are a data processor under GDPR — customers retain controller responsibilities for their data.

Architecture & encryption

PostgreSQL 16 with row-level security policies on every tenant-scoped table. TLS 1.2+ in transit, AES-256 at rest. Customer-provided AI provider keys are additionally encrypted at the application layer. WorkOS AuthKit handles all sign-in — we never see passwords.

Read the full security page

Privacy & data handling

We collect only what's needed to provide the Service: AI usage metadata, user attribution, and shadow-AI discovery findings. We do NOT use customer data to train AI models. We do NOT proxy your AI calls — prompts and completions never touch our infrastructure.

Privacy Policy Per-data-point inventory

Data Processing Addendum

Our DPA is incorporated by reference into every paid contract. It covers controller/processor roles, sub-processor obligations, data-subject rights, international transfers (Standard Contractual Clauses), and the 72-hour breach-notification commitment.

DPA (Article 28 GDPR)

Sub-processors

We use Railway (Postgres + app hosting, Frankfurt), Cloudflare (DNS + CDN + WAF), WorkOS (auth), Resend + AWS SES (email), Stripe (billing). Customers are given 14 days' prior notice of new sub-processors and may object on reasonable grounds.

Current sub-processor list

Compliance posture

  • GDPR compliant by design
  • UAE PDPL compliant by design
  • EU AI Act deployer-side compliant (Articles 26-27)
  • SOC 2 Type II — not yet attested. Roadmapped after 25 paying customers.
  • ISO 27001 — not yet certified. Roadmapped after SOC 2.
  • Not in scope: HIPAA, PCI DSS (Stripe holds PCI data)

Where we're honest about gaps. If your procurement workflow requires SOC 2 / ISO certification today, we may not yet be the right fit — we'd rather say that up-front than waste your time.

Acceptable use + terms

Standard prohibitions: no illegal activity, no abuse of the Service, no scraping, no reverse-engineering. Customer is responsible for its end-users' conduct in the workspace.

Acceptable Use Policy

Need a security review pack?

We maintain a pre-completed security review pack that covers the highest-frequency CAIQ / SIG-Lite questions, plus a sub-processor list, encryption notes, and incident-response playbook. Available on request under NDA — turnaround < 5 business days.

Email [email protected] See live status