Security

Security at GRCfy Maestro

Compliance data is among the most sensitive information an organisation holds. We've built GRCfy Maestro with security as a first principle — not an afterthought. This page explains exactly how we protect your data.

Last reviewed: May 2026  ·  Questions: security@grcfy.com
Encryption
AES-256 + TLS 1.2+
Audit Trail
Immutable & append-only
Access Control
11 roles, least privilege
Breach Notification
72-hour commitment
Contents
  1. 1. Our Security Commitment
  2. 2. Infrastructure & Hosting
  3. 3. Encryption
  4. 4. Authentication & Access Control
  5. 5. Data Isolation
  6. 6. Immutable Audit Trail
  7. 7. Evidence & File Security
  8. 8. Application Security
  9. 9. Vulnerability Management
  10. 10. Incident Response
  11. 11. Business Continuity
  12. 12. Employee & Vendor Security
  13. 13. Responsible Disclosure
  14. 14. AI Security Controls
Section 01

Our Security Commitment

GRCfy Maestro is built for organisations that manage sensitive compliance programmes — audits, findings, evidence, and regulatory submissions. The data your teams upload and generate is confidential, regulated, and in many cases subject to the DPDP Act 2023, GDPR, or other data protection laws.

We treat that responsibility seriously. Security decisions at GRCfy Maestro are not delegated to a single team — they are baked into architecture, code review, deployment processes, and how we hire and train our engineers.

Privacy-by-design: Platform administrators (super_admin, app_admin) are structurally excluded from accessing tenant audit data at the database query layer — not just the UI. Your compliance data is never visible to GRCfy Maestro platform staff in normal operations.
Section 02

Infrastructure & Hosting

Section 03

Encryption

In transit

At rest

// Password hashing — bcrypt, never MD5 or SHA-1

algorithm: "bcrypt" // PHP password_hash() with PASSWORD_BCRYPT

cost_factor: 10 // minimum; tuned upward as hardware improves

stored_form: "hash only" // plaintext discarded immediately after hashing

// Sensitive config values

cipher: "AES-256-CBC" // Laravel Crypt::encryptString()

key_source: ".env APP_KEY" // never stored in the database

Section 04

Authentication & Access Control

Role-based access control

GRCfy Maestro implements a granular 11-role permission system. Every action — viewing audit data, uploading evidence, updating control statuses, managing findings — is gated by explicit role checks at the controller layer, not just the UI.

TierRolesAudit data access
Platform super_admin, app_admin, app_agent None — by design
Audit firm — senior audit_admin, lead_auditor Own firm's audits only
Audit firm — reviewer auditor, external_auditor, compliance_viewer Assigned audits only
Client side client_manager, client_admin, client_user Own entity only

Password security

Single Sign-On (SSO)

Session security

Section 05

Data Isolation

Compliance data belonging to different organisations must never be visible across tenants. GRCfy Maestro enforces isolation at multiple layers:

Section 06

Immutable Audit Trail

Every significant action on the platform — login, data access, record creation/update/deletion, role change, permission grant, evidence review, force-delete — is written to an append-only compliance log simultaneously in two places:

DestinationFormatRetentionPurpose
Isolated compliance database Structured DB rows (Spatie Activity Log extended) Duration of account Queryable audit viewer, export, supervisory access
Daily-rotating JSON log files Flat JSON per line (ELK/Splunk compatible) 90 days rolling SIEM integration, off-platform backup

Each log entry captures:

Immutability guarantee: Log records in the compliance database override save() and delete() at the model layer — any attempt to modify or delete an existing log entry throws a LogicException. Even platform administrators cannot alter log history through the application.

Permanent deletion ("force delete") operations are logged separately in a recovery_logs table with a mandatory, non-empty reason field, the actor's identity, and a cascaded record of all dependent data that was removed. This log is also immutable and available for export as CSV.

Section 07

Evidence & File Security

Section 08

Application Security

GRCfy Maestro is built on Laravel 12 (PHP 8.2) with Inertia.js / React 19. Our standard defences against OWASP Top 10:

ThreatControl
SQL Injection Laravel Eloquent ORM with parameterised queries throughout. Raw SQL only where necessary, always with bound parameters.
Cross-Site Scripting (XSS) React's JSX automatically escapes all dynamic values. No dangerouslySetInnerHTML in production code paths.
CSRF Laravel CSRF middleware enforced on all POST/PUT/PATCH/DELETE routes. Inertia.js sends the XSRF-TOKEN cookie automatically.
Broken Access Control Role checks at the controller layer (not just middleware) for every action. abort_unless() / abort_if() guards on every sensitive method.
Security Misconfiguration Debug mode disabled in production. Sensitive keys in environment variables, never in source code. Encrypted config values in DB.
Insecure Direct Object References Route model binding resolves only records the authenticated user is scoped to. Tenant models are resolved after TenantContext is set — not via direct Laravel route model binding.
Third-party Component Risk Dependencies monitored for CVEs. High-risk packages (e.g., SheetJS) replaced with first-party alternatives. Composer and npm lockfiles committed.
Section 09

Vulnerability Management

Section 10

Incident Response

We maintain an incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting your data:

To report a suspected security incident or data breach: security@grcfy.com

Section 11

Business Continuity & Backups

Section 12

Employee & Vendor Security

Section 13

Responsible Disclosure

We welcome security researchers who responsibly disclose vulnerabilities in GRCfy Maestro. If you've discovered a potential security issue, please report it to us before public disclosure so we can investigate and remediate it.

Scope — in scope for reporting:

Out of scope:

Our commitments to researchers:

security@grcfy.com
Section 14

AI Security Controls

AI-assisted evidence analysis is an optional feature available on AI-enabled subscription tiers. The following controls govern how AI processing is secured and how personal data is protected during AI operations.

Two-layer PII scrubbing pipeline

Evidence text is scrubbed of personal identifiers through two sequential stages before any data leaves our infrastructure:

No evidence files transmitted to AI

Original evidence files (PDFs, Word documents, spreadsheets) are never transmitted to the AI model. Only extracted text — after both scrubbing stages — is included in the AI prompt. Image files and scanned PDFs use AWS Textract (OCR) in ap-south-1 to produce text first; the original image is not forwarded to the Claude model.

Data residency — India boundary

All AI inference uses AWS Bedrock in ap-south-1 (Mumbai, India). This applies to both Standard (Claude Haiku 4.5) and Enterprise (Claude Sonnet 4.6) tiers. AWS Textract OCR also runs in ap-south-1. Evidence text does not cross India's geographic boundary during AI processing.

Human-in-the-Loop — no autonomous AI writes

AI analysis is explicitly triggered by an auditor clicking "Run AI Analysis". The resulting findings are displayed for human review and never automatically written to the audit record. Auditors accept, modify, or reject AI output before it is committed. This design ensures that AI is an advisory tool, not a decision-maker.

No model training on customer data

GRCfy Maestro accesses Claude models via the AWS Bedrock API under Anthropic's commercial service terms. These terms explicitly prohibit Anthropic and Amazon from using customer-submitted prompts or responses to train, retrain, or fine-tune AI models. Audit evidence submitted through the platform is never used as AI training material.

No AI data persistence

Scrubbed evidence text sent to AWS Bedrock is processed in-request and not retained by AWS or Anthropic after the API call completes. GRCfy Maestro does not store the scrubbed prompt in any database, log file, or cache. The AI response (structured compliance findings) is stored against the audit control record, but this contains no evidence text.

Audit trail for AI operations

Every AI analysis is written to the platform's immutable audit trail, recording: timestamp, user ID, control reference, AI model tier used (Standard or Enterprise), and confidence score. This trail supports accountability reviews and demonstrates Human-in-the-Loop compliance.