Information security and data protection are at the core of Granite’s operations, from operations management, service production, product development and, above all, what the personnel do.
We follow comprehensive technical and organisational principles and measures to ensure that data protection and information security are implemented.
Our operations, as well as the Granite platform and services, and the security practices of our operations, are regularly audited by external experts.
Our information security management system is ISO 27001 certified. Our data protection policy is based on the requirements of the EU General Data Protection Regulation (GDPR).
As data centre service providers, we only use the most reliable ISO 27001-certified parties.
Granite’s tools and platform have been developed to handle all customer data as critical information. Information security is at the core of all data processed within Granite. We adhere to the following information security principles.
Data Encryption during Transit and at Rest
The Granite platform encrypts all data between the tools’ end-users and your data. All customer data is encrypted both at rest (“data at rest”) and during transmission (“data in transit”) using industry standards and best practices.
Access Control and Access Monitoring
Granite’s access and data management rights are tailored to the customer’s process and business needs. Granite follows the principle of least privilege.
Authentication
The Granite platform supports the use of SAML 2.0 technology for single sign-on (SSO). Centralized authentication and administration support the comprehensive use of tools on the Granite platform and the achievement of customer goals.
Cloud Service and Customer-Specific Databases
The cloud architecture is based on a restricted and secure private cloud implementation. The Granite platform is built on Equinix’s ISO/IEC 27001-certified private cloud platform. Servers and data are located in Finland. Customer data is also stored in customer-specific databases.
API Interface
It is possible to establish customer and partner interfaces (Application Programming Interface) to the Granite platform and tools through a secure, modern, and documented RESTful API.
Continuity planning and management are critical parts of our security infrastructure.
Scope and Objectives of Continuity Management
The primary objective of our continuity planning is to ensure Granite’s continuous operation and the availability of smooth, functional, reliable, secure services to all customers.
Communication and Reporting of Incidents
As part of our continuity principles, we inform customers about all incidents related to Granite’s business continuity that affect customers. Customers receive the necessary reports upon request.
Incident Management Principles
All Granite employees are instructed on how to act if they detect deviations or suspect security breaches. All observations are documented according to the process and immediately reported to Granite’s security team. The need to update guidelines and procedures is assessed after each deviation observation based on a risk assessment of the event.
Our server and data center service providers continuously monitor incoming and outgoing data traffic. If deviations are detected in the traffic, they are immediately reported, investigated, and necessary actions are taken.
In the ever-changing digital business environment, there are always cyber threats. We follow best practices to identify and assess changing threats and risks and prepare for them.
Vulnerability Scanning
Vulnerability scanning is an integral and critical part of Granite’s software production. We use multiple automated scanning tools and conduct analyses, including the identification of OWASP vulnerabilities and other code defects. In addition, we perform comprehensive automated testing of the entire Granite platform. Identified vulnerabilities are addressed as part of our vulnerability management process.
Third-Party Security Testing
We utilize third parties to assess vulnerabilities in our platform. We conduct comprehensive technical and manual security testing annually by an external security company.
Compliance with data privacy regulations and laws is a fundamental principle of Granite’s operations. We strictly adhere to GDPR-compliant protocols so that our customers can manage their data with confidence.
Data Privacy
Granite complies with all applicable data privacy laws, especially the EU’s General Data Protection Regulation (GDPR). Customer data on the Granite platform is treated confidentially and is never used for any purpose other than providing services to customers. More information about our data privacy regulations and data processing can be found in our data processing description.
Employee Security Clearances
Granite requires security clearance conducted by authorities as a condition of employment. In addition, all Granite employees sign a written confidentiality agreement that obligates them to keep customer data confidential.
Security Awareness and Employee Training
Annual cybersecurity and data privacy online training are mandatory for all Granite employees.
Third-Party Access Control
Access to our customers’ data and information is strictly controlled by permissions. Granite employees can only access customer environments for the purpose of supporting and enabling the use of those environments by the respective customers.
Our Information Security Management System (ISMS) covers all Granite operations and service production. The management system is certified in accordance with ISO/IEC 27001:2022.
Data protection and information security are the starting points of our service production. We adhere to the principles of secure programming at all stages of product development and take care of the implementation of data protection with diverse controls.
The risk management policy covers the risks and opportunities related to our business. Risk management ensures the development and continuity of long-term business operations.
One of the basic requirements of our business is smooth and functional information management. The information security policy supports the implementation of secure data management and compliance with the ISO 27001 requirements at all levels of the company.
We are fully prepared for disruptive situations related to our business and service production and their management. The continuity plan describes the principles in this regard on a practical level.
We strive to be as transparent as possible about the principles of processing our customers’ personal data in our platform. We only process necessary personal data and only to the extent required for the service provided to the customer. Our practices comply with the requirements of the EU General Data Protection Regulation (GDPR).