Granite’s commitment to security and data protection

Information security and data protection are at the core of Granite’s operations, from operations management, service production, product development and, above all, what the personnel do.

We follow comprehensive technical and organisational principles and measures to ensure that data protection and information security are implemented.

Our operations, as well as the Granite platform and services, and the security practices of our operations, are regularly audited by external experts.

Our information security management system is ISO 27001 certified. Our data protection policy is based on the requirements of the EU General Data Protection Regulation (GDPR).

As data centre service providers, we only use the most reliable ISO 27001-certified parties.


Data protection

Granite tools and platform have been developed to treat all customer data as critical. Data protection is at the heart of all data processed by Granite. We comply with the following data protection principles, among others:
Data Encryption at Rest and in Transit

The Granite system encrypts all data between the end users of the tools and your data. All customer data is encrypted in sleep mode and during transfer using common industry standards, tools and best practices in all work.

Access rights and access control

Granite’s access and data management rights are tailored to the customer’s process and business needs.


The Granite system supports the use of SAML 2.0 technology for single sign-on (SSO). Central authentication and management supports the comprehensive deployment of the tools and the achievement of the customer’s goals on the Granite platform and tools.

Cloud-Hosted Services

The Granite system is built on the ISO27001-certified private cloud platform of Equinix Finland Oy. The servers and data are located in Finland.

Three-Tier Architecture

Granite’s entire system infrastructure is built behind firewalls. The architecture of our solution is based on three tiers (client, application and data). Internal and external access to the data is more limited the closer we get to where the data is stored.


It is possible to create customer and partner interfaces to the Granite system and tools through the secure RESTful API.

Business Continuity planning and incident management

Continuity planning and continuity management is a critical part of our security infrastructure, which aims to enable our customers’ goals.
Scope and objectives of continuity management
The main objective of our continuity planning is the continuous functioning of Granite and fluent, functional, reliable and secure services available to all customers.
Communication in the event of incidents
One of our continuity principles is to inform the customer of any business continuity incidents that affect any customer. Customers will be provided with the reports they need on request. In major disasters, we use social media and other channels to get information to as many customers as possible.
Principles of incident management
All Granite employees are instructed on what to do if they detect incidents or suspect data breaches. All findings are documented in accordance with the process and immediately reported to Granite’s security team. The need to update the instructions and operating procedures is assessed after each observed incident, based on the risk assessment of the event. Our server and data centre service providers continuously monitor the incoming and outgoing data traffic in their centres. Abnormalities in the traffic are immediately reported and investigated, and the required measures are taken.

Vulnerability management and testing

Cyber threats are always present in the changing digital business environment. We follow the best principles to identify, assess and prepare for changing threats and risks.
Vulnerability scanning
The scanning of server vulnerabilities and dependencies is an integral and critical part of Granite’s software production. Identified vulnerabilities are automatically rejected as part of our vulnerability management process, in which they are either fixed or the risk they pose is accepted. haavoittuvuuksien hallintaprosessiamme jossa ne joko korjataan tai niiden aiheuttama riski hyväksytään.
Code review
Granite’s code is scanned to identify OWASP vulnerabilities and other code errors before it is moved to the production environment.
Third-Party Penetration Testing
We use third parties to evaluate vulnerabilities on our platform.
Automation testing
In addition to code scanning, Granite’s development team automatically tests new features and platform updates before they are released into production.

Privacy, protection of personal data and compliance

Compliance with data protection regulations and laws is a fundamental principle of Granite’s operations, and we follow a strict GDPR-compliant protocol to allow our customers to manage their data efficiently and safely. In addition, we are the Granite platform’s main user, benefitting from it in our operations and in the management of compliance and certification processes.
Privacy protection

Granite complies with all applicable data protection laws, such as the GDPR. Customer data on the Granite platform is treated as confidential and never sold. For more information about our platform’s privacy settings and how your data is processed, please refer to our data processing policy.

Employee background checks

Granite’s recruitment is conditional on a background check carried out by the authorities. In addition, all Granite employees sign a written non-disclosure agreement that requires them to keep customer information confidential.

Security awareness and staff training

Annual completed online training in security and data protection is mandatory for all Granite employees.

Third-Party Access

Access to our customers’ information and data is strictly restricted with user rights. Granite employees can use only customer data or environments for customer work and to enable and support customer use. Our subcontractors do not have access to customer data.

Information security documentation

Information Security Management System

Our Information Security Management System (ISMS) covers all Granite operations and service production. The management system is certified in accordance with ISO/IEC 27001:2013.

Learn more

Data protection and information security policy

Data protection and information security are the starting points of our service production. We adhere to the principles of secure programming at all stages of product development and take care of the implementation of data protection with diverse controls.

Learn more

Risk management policy

The risk management policy covers the risks and opportunities related to our business. Risk management ensures the development and continuity of long-term business operations.

Learn more

Information security policy

One of the basic requirements of our business is smooth and functional information management. The information security policy supports the implementation of secure data management and compliance with the ISO 27001 requirements at all levels of the company.

Learn more

Continuity plan

We are fully prepared for disruptive situations related to our business and service production and their management. The continuity plan describes the principles in this regard on a practical level.

Learn more

Marketing & Customer Service Data Protection Notice

Learn more