Skip to content
Skip to content
Trust & Security

We Protect the Platforms That Protect Your Data

Enterprise-grade security, transparent practices, and compliance certifications you can verify.

Security Architecture

Multiple layers of defense protect your compliance data at every level.

Encryption

AES-256 at rest, TLS 1.3 in transit. All sensitive data encrypted with industry-standard algorithms. Key rotation every 90 days.

Multi-Tenant Isolation

Organisation-scoped data with role-based access control. 15 RBAC roles ensure users only see what they should.

Infrastructure

AWS hosted with EU and US data residency options. Auto-scaling, redundant availability zones, and daily automated backups.

Authentication

Multi-factor authentication, SSO support, JWT with rotation. Session management compliant with PCI DSS 8.2.8.

Audit Logging

Every action logged with user, timestamp, IP address, and resource. Immutable audit trail for compliance and forensics.

Vulnerability Management

Continuous vulnerability scanning, annual third-party penetration testing, and a responsible disclosure program.

Compliance Certifications

Our commitment to meeting and exceeding industry standards.

In Progress

SOC 2 Type II

Planned

ISO 27001

Compliant

GDPR

Planned

Cyber Essentials

Designed to Standard

PCI DSS

Data Privacy

Data Residency
EU (Ireland) or US (Virginia)
Data Retention
Configurable per organisation, default 2 years
Right to Erasure
Honoured within 30 days
Sub-Processors
AWS, Anthropic, SendGrid (listed transparently)
DPA
Available on request

Your Data Belongs to You

We process it only to deliver the service you have contracted. We never sell, share, or use customer data for advertising or AI training. Your compliance data remains under your control at all times, with full export capabilities and transparent data processing practices.

Platform Activity

Scale you can trust, built for enterprise compliance workloads.

0+

Assessments Managed

0+

Evidence Items Processed

0+

Training Completions

0+

Organisations Protected

Figures are illustrative and represent platform capacity metrics.

Uptime & Reliability

All Systems Operational
Uptime Target
99.9%
Critical Incident Response
< 1 hour
High Incident Response
< 4 hours
Backups
Daily automated, 30-day retention
Point-in-Time Recovery
Supported
Disaster Recovery
Multi-AZ with automated failover

Responsible AI

Transparency and human oversight at every stage.

AI Transparency

Our 7 AI engines assist with compliance guidance, policy generation, and evidence categorisation. AI provides recommendations; humans make decisions.

Data Privacy

Customer data is never used to train AI models. We use Anthropic Claude with zero data retention.

Human Oversight

All AI outputs are clearly labelled. Critical compliance decisions always require human review and approval.

Report a Security Concern

security@grctrack.com

We take all security reports seriously and respond within 24 hours.

Responsible disclosure: we appreciate security researchers who help us improve. Contact us before public disclosure.

Trust Center FAQ

Is GRCTrack SOC 2 certified?
GRCTrack is pursuing SOC 2 Type II certification. Our infrastructure is designed to SOC 2 standards with continuous monitoring, access controls, and audit logging.
Where is GRCTrack data stored?
GRCTrack data is hosted on AWS infrastructure with options for EU (Ireland) and US (Virginia) data residency. All data is encrypted at rest with AES-256 and in transit with TLS 1.3.
Does GRCTrack use my data to train AI?
No. Customer data is never used to train AI models. Our AI features use Anthropic Claude with zero data retention policies. Your compliance data remains yours.
How does GRCTrack handle data breaches?
GRCTrack has a documented incident response plan with notification within 72 hours as required by GDPR. We maintain 24/7 monitoring and automated alerting for security events.
Is GRCTrack GDPR compliant?
Yes. GRCTrack is GDPR compliant with documented data processing agreements, data subject rights processes, sub-processor transparency, and EU data residency options.