HTTPS only
TLS 1.2+ on port 443 for every application route. Port 80 serves only a 308 permanent redirect to HTTPS. no application content is ever delivered in plaintext. HSTS with includeSubDomains; preload.
Trust & Security
Secure by default. Verifiable end to end.
TLS 1.2+ everywhere. MFA mandatory in SaaS. argon2id passwords. Read-only cloud access. Postgres row-level security for tenant isolation. Per-tenant KMS. 7-year audit with S3 Object Lock on Enterprise.
Transport & perimeter
WAF in front of SaaS
AWS WAF with the common-rules and known-bad-inputs managed rule groups, plus tenant-aware rate limits.
CSP and headers
Strict Content Security Policy with no inline scripts, Referrer-Policy strict-origin, X-Frame-Options DENY, Permissions-Policy disabling hardware APIs.
Authentication
Passwords
argon2id, 64 MiB memory, 3 iterations, parallelism 4. Minimum 12 characters. Breach-list check on set.
MFA
TOTP mandatory on SaaS for every user. WebAuthn on Enterprise. Recovery codes stored as argon2id hashes.
SSO on Enterprise
SAML 2.0 and OIDC. SCIM 2.0 for user and group provisioning. Just-in-time account creation bound to a Microsoft Entra ID / Okta / Google Workspace tenant.
Tenant isolation
Database
Postgres row-level security on every tenant-scoped table. The ORM sets app.current_tenant at session start. Service principals cannot bypass.
Storage
S3 keys prefixed with t/<tenant_id>/. Bucket policy denies cross-tenant access and requires TLS. Signed URLs expire in 15 minutes.
Crypto
Per-tenant AWS KMS data keys wrapped by a tenant-scoped customer managed key. Revoking a tenant revokes the key. Key rotation annually with on-demand override.
Compute
Tenant context is authenticated at the edge and carried as a signed claim end-to-end. Every request is authorized by RBAC with account-scope and resource-tag conditions.
Cloud access model
AWS
Cross-account IAM role with an external ID and least-privilege read-only policy. No long-lived keys. STS-issued credentials with a 15-minute lifetime.
Azure
Microsoft Entra ID Workload Identity Federation with federated credentials on an app registration, bound to our workload identity. No client secrets. Reader built-in role plus a narrow set of data-plane roles only where needed.
GCP
Workload Identity Federation. No service account keys. Organization and Folder onboarding uses roles/viewer and roles/iam.securityReviewer, plus roles/bigquery.dataViewer on the billing-export dataset.
Audit, logging & retention
Audit events
Every privileged action (login, MFA change, connector change, role change, export) is written to an append-only log.
Retention
30 days (Free), 1 year (Pro), 7 years with S3 Object Lock export (Enterprise).
SIEM export
Webhook or S3-bucket delivery of audit events in JSON. Enterprise tenants can bring their own bucket.
Compliance
SOC 2 Type II
Designed to the Trust Services Criteria. Type II audit targeted within 12 months of GA.
GDPR
EU data residency. Data processing agreement available. Subject access and erasure workflows.
Responsible disclosure
[email protected] is the security contact. Safe-harbor terms published in our docs.
Supply chain
Signed images
Every container image is signed with cosign. Verification is part of install for Self-Hosted.
SBOMs
SPDX SBOM published per release at a known URL. Syft-generated, reviewed in CI.
Scanned
Trivy scans the container image in CI. Critical and High CVEs block release.
Security controls by plan
Plan-dependent security controls. Core protections (TLS 1.2+, RLS, per-tenant KMS, argon2id, read-only cloud access) apply to every tenant on every plan.
| Control | Free | Pro | Enterprise |
|---|---|---|---|
| MFA (TOTP) | Mandatory | Mandatory | Mandatory |
| WebAuthn / passkeys | . | . | Yes |
| SSO (SAML / OIDC) | . | OIDC | SAML 2.0 + OIDC + SCIM 2.0 |
| Custom RBAC roles | . | . | Yes |
| IP allow-listing on the dashboard | . | . | Yes |
| Audit retention | 30 days | 1 year | 7 years (S3 Object Lock) |
| SIEM export (webhook / S3) | . | Webhook | Webhook + bring-your-own S3 |
| Custom security rules | . | . | Yes |
| Data residency (EU option) | US only | US or EU | US or EU (or Self-Hosted anywhere) |
| DPA & custom MSA | . | DPA | DPA + custom MSA |
| Incident notification SLA | Best-effort | 72 hours | 24 hours, named contact |
| Pen-test letter of attestation | . | Yes | Yes, plus annual shared report |
What GrandLine does NOT do
Your security boundary should be easy to reason about. Here is what we deliberately are not.
We don't write to your cloud
Every connector is read-only. The IAM policies we publish explicitly Deny all write actions (*:Create*, *:Update*, *:Delete*, *:Put*, iam:PassRole). No auto-remediation, no auto-tagging, no auto-anything.
We don't hold long-lived credentials
No cloud access keys. No Microsoft Entra ID client secrets. No GCP service account keys. Every scan assumes a role or federates a token with a 15-minute (AWS) or 1-hour (Azure/GCP) lifetime.
We don't purchase commitments for you
Cost recommendations are report-only. AWS Savings Plans, AWS Reserved Instances, Azure Reservations, Azure Savings Plans for Compute, and GCP Committed Use Discounts (CUDs) are suggestions with supporting evidence. you commit the money yourself, in your billing console.
We don't move money
GrandLine never executes a trade, places an order, transfers funds, or initiates a billing change on your behalf. Commercial actions are always performed by you.
We don't train models on your data
Tenant data never leaves the tenant for any reason, including model training. Any AI-assisted features (summarisation, rule suggestions on Enterprise) run on models we host and do not fine-tune on customer data.
We don't sell or share
No advertising, no data sale, no marketing-list sharing. The GrandLine products are ad-free and your data is yours.