Information security and data protection are central to Granite’s operations, encompassing operations management, service delivery, product development, and personnel-related activities.
We adhere to comprehensive technical and organisational principles and measures to ensure that data protection and information security are robustly implemented.
Our operations, together with the Granite platform, services, and related security practices are regularly audited by external experts.
Our Information Security Management System (ISMS) is ISO 27001 certified. Our data protection policy complies with the requirements of the EU General Data Protection Regulation (GDPR).
We exclusively use highly reliable, ISO 27001-certified data centre providers.
Granite’s tools and platform are designed to treat all customer data as critical information. Information security is fundamental to all data processing within Granite. We follow the information security principles outlined below.
The Granite platform encrypts all data exchanged between end users and associated systems. Customer data is encrypted both at rest (“data at rest”) and during transmission (“data in transit”) using industry-standard methods and best practices.
Granite’s access and data management rights are tailored to align with each customer’s processes and business requirements. We apply the principle of least privilege across our systems.
The Granite platform supports SAML 2.0 technology for Single Sign-On (SSO). Centralised authentication and administration facilitate comprehensive use of the Granite platform tools and support customers in achieving their goals.
Our cloud architecture is based on a restricted and secure private cloud environment. The Granite platform operates on Equinix’s ISO/IEC 27001-certified private cloud infrastructure. All servers and data are located in Finland. Customer data is stored in dedicated databases specific to each customer.
Secure, modern, and well-documented RESTful APIs enable integration between customer or partner systems and the Granite platform and tools.
Continuity planning and incident management are critical components of our security framework.
Our primary objective in continuity planning is to ensure uninterrupted operations and the delivery of secure, reliable services to all customers.
As part of our continuity principles, we inform customers of any incidents affecting Granite’s business continuity. Reports are provided upon request.
Granite employees receive instructions on how to respond to deviations or suspected security breaches. All incidents are documented and promptly reported to Granite’s security team. Following each incident, we assess whether updates to procedures or guidelines are necessary, based on a risk assessment.
Our server and data centre providers continuously monitor incoming and outgoing data traffic. Any detected anomalies are promptly reported, investigated, and addressed accordingly.
In the constantly evolving digital landscape, cyber threats are ever-present. We follow best practices to identify, assess, and mitigate emerging risks.
Vulnerability scanning is an essential part of Granite’s software development process. We employ multiple automated scanning tools and conduct analyses to identify OWASP vulnerabilities and other code defects. Additionally, we perform comprehensive automated testing across the Granite platform. Identified vulnerabilities are managed through our vulnerability management process.
External security specialists are engaged annually to conduct comprehensive technical and manual security assessments of our platform.
Compliance with data privacy laws and regulations is a cornerstone of Granite’s operations. We follow GDPR-compliant practices to ensure our customers can manage their data securely and with confidence.
Granite fully complies with all relevant data privacy legislation, particularly the EU GDPR. Customer data is handled confidentially and used solely for the provision of our services. Further details on our data privacy policies and practices can be found in our data processing documentation.
Security clearance from the appropriate authorities is a prerequisite for employment at Granite. All employees also sign a written confidentiality agreement obliging them to maintain the confidentiality of customer data.
All Granite employees are required to complete annual cybersecurity and data privacy training via online courses.
Access to customer data is strictly permission-based. Granite personnel may only access customer environments to provide support or enable their use by the customer.
Our ISMS encompasses all of Granite’s operations and service delivery processes. The system is certified in accordance with ISO/IEC 27001:2022.
Data protection and security are foundational to our service delivery. We apply secure coding principles throughout product development and implement a variety of control measures.
Our risk management policy addresses business risks and opportunities. It supports the sustainable development and long-term continuity of our operations.
Efficient and secure information management is a fundamental requirement of our business. Our policy ensures secure data handling and supports compliance with ISO 27001 throughout the organisation.
We are fully prepared for potential disruptions to our business and services. Our continuity plan outlines practical procedures for handling such events.
We are committed to transparency in our processing of customer personal data. Only essential personal data is processed, and only to the extent required for service provision. Our practices fully comply with the EU GDPR.
