Granite’s commitment to security and data protection

Information security and data protection are at the core of Granite’s operations, from operations management, service production, product development and, above all, what the personnel do.

We follow comprehensive technical and organisational principles and measures to ensure that data protection and information security are implemented.

Our operations, as well as the Granite platform and services, and the security practices of our operations, are regularly audited by external experts.

Our information security management system is ISO 27001 certified. Our data protection policy is based on the requirements of the EU General Data Protection Regulation (GDPR).

As data centre service providers, we only use the most reliable ISO 27001-certified parties.

 

Information Security

Granite’s tools and platform have been developed to handle all customer data as critical information. Information security is at the core of all data processed within Granite. We adhere to the following information security principles.

Data Encryption during Transit and at Rest

The Granite platform encrypts all data between the tools’ end-users and your data. All customer data is encrypted both at rest (“data at rest”) and during transmission (“data in transit”) using industry standards and best practices.

Access Control and Access Monitoring

Granite’s access and data management rights are tailored to the customer’s process and business needs. Granite follows the principle of least privilege.

Authentication

The Granite platform supports the use of SAML 2.0 technology for single sign-on (SSO). Centralized authentication and administration support the comprehensive use of tools on the Granite platform and the achievement of customer goals.

Cloud Service and Customer-Specific Databases

The cloud architecture is based on a restricted and secure private cloud implementation. The Granite platform is built on Equinix’s ISO/IEC 27001-certified private cloud platform. Servers and data are located in Finland. Customer data is also stored in customer-specific databases.

API Interface

It is possible to establish customer and partner interfaces (Application Programming Interface) to the Granite platform and tools through a secure, modern, and documented RESTful API.

Continuity Planning and Incident Management

Continuity planning and management are critical parts of our security infrastructure.

Scope and Objectives of Continuity Management

The primary objective of our continuity planning is to ensure Granite’s continuous operation and the availability of smooth, functional, reliable, secure services to all customers.

Communication and Reporting of Incidents

As part of our continuity principles, we inform customers about all incidents related to Granite’s business continuity that affect customers. Customers receive the necessary reports upon request.

Incident Management Principles

All Granite employees are instructed on how to act if they detect deviations or suspect security breaches. All observations are documented according to the process and immediately reported to Granite’s security team. The need to update guidelines and procedures is assessed after each deviation observation based on a risk assessment of the event.

Our server and data center service providers continuously monitor incoming and outgoing data traffic. If deviations are detected in the traffic, they are immediately reported, investigated, and necessary actions are taken.

Vulnerability Management and Testing

In the ever-changing digital business environment, there are always cyber threats. We follow best practices to identify and assess changing threats and risks and prepare for them.

Vulnerability Scanning

Vulnerability scanning is an integral and critical part of Granite’s software production. We use multiple automated scanning tools and conduct analyses, including the identification of OWASP vulnerabilities and other code defects. In addition, we perform comprehensive automated testing of the entire Granite platform. Identified vulnerabilities are addressed as part of our vulnerability management process.

Third-Party Security Testing

We utilize third parties to assess vulnerabilities in our platform. We conduct comprehensive technical and manual security testing annually by an external security company.

Data Privacy and Compliance

Compliance with data privacy regulations and laws is a fundamental principle of Granite’s operations. We strictly adhere to GDPR-compliant protocols so that our customers can manage their data with confidence.

Data Privacy

Granite complies with all applicable data privacy laws, especially the EU’s General Data Protection Regulation (GDPR). Customer data on the Granite platform is treated confidentially and is never used for any purpose other than providing services to customers. More information about our data privacy regulations and data processing can be found in our data processing description.

Employee Security Clearances

Granite requires security clearance conducted by authorities as a condition of employment. In addition, all Granite employees sign a written confidentiality agreement that obligates them to keep customer data confidential.

Security Awareness and Employee Training

Annual cybersecurity and data privacy online training are mandatory for all Granite employees.

Third-Party Access Control

Access to our customers’ data and information is strictly controlled by permissions. Granite employees can only access customer environments for the purpose of supporting and enabling the use of those environments by the respective customers.

Information security documentation

Information Security Management System

Our Information Security Management System (ISMS) covers all Granite operations and service production. The management system is certified in accordance with ISO/IEC 27001:2022.

Learn more


Data protection and information security policy

Data protection and information security are the starting points of our service production. We adhere to the principles of secure programming at all stages of product development and take care of the implementation of data protection with diverse controls.

Learn more

Risk management policy

The risk management policy covers the risks and opportunities related to our business. Risk management ensures the development and continuity of long-term business operations.

Learn more

Information security policy

One of the basic requirements of our business is smooth and functional information management. The information security policy supports the implementation of secure data management and compliance with the ISO 27001 requirements at all levels of the company.

Learn more

Continuity plan

We are fully prepared for disruptive situations related to our business and service production and their management. The continuity plan describes the principles in this regard on a practical level.

Learn more

Record of Processing Activities

We strive to be as transparent as possible about the principles of processing our customers’ personal data in our platform. We only process necessary personal data and only to the extent required for the service provided to the customer. Our practices comply with the requirements of the EU General Data Protection Regulation (GDPR).

Learn more

Marketing & Customer Service Data Protection Notice

Learn more