Security is the product.
Trust is earned in the smallest decisions. Here's how DevGrid earns it, every release.
Defense in depth, by design.
No single control is load-bearing. Every request crosses five independent layers — governance, network, platform, application, and data — each with its own owners, controls, and audit trail.
Four rules we don’t bend.
These aren’t slogans — they’re load-bearing constraints. Each principle has a named owner, a measurable target, and shows up in our quarterly board review.
Threat models precede architecture diagrams. New services ship with a documented attack surface before merge.
Access is scoped, time-bound, and reviewed. Standing admin rights are the exception, not the default.
If we don’t know it yet, we say so. Status, sub-processors, and changes are published — not buried behind a sales call.
It’s yours, held in trust. We don’t train models on it, mine it, or share it. Sub-processors are minimal and named.
Building toward independent assurance.
We’re partway through formal certification and aligned to the frameworks our customers ask about most. Here’s exactly where we are.
Need an artifact today?
Even pre-certification, we publish what’s available and respond promptly to vendor questionnaires.
- Security overview & architecture document
- Data Processing Agreement (DPA)
- Sub-processor list
Encrypted everywhere. Always.
From the moment data leaves your browser to the moment it lands on disk, it’s wrapped in modern ciphers, anchored to keys you can rotate, revoke, or hold yourself.
All public endpoints terminate with modern TLS and strict cipher suites. Internal service-to-service traffic is authenticated and encrypted.
Customer data is encrypted at rest with industry-standard algorithms. Encryption keys are managed through cloud-native KMS with regular rotation.
No long-lived secrets in source. Workload credentials are scoped and rotated automatically; sensitive operations require multi-party review.
Securing our people & systems.
The strongest product perimeter doesn’t matter if the laptop building it is wide open. We hold the back office to the same bar as the platform.
Corporate devices are managed with disk encryption, endpoint detection, and automatic patching. Non-compliant devices are blocked from production access.
SSO and multi-factor authentication are enforced for internal systems. Access is scoped by role and reviewed periodically.
All employees complete security awareness training at onboarding and on a recurring cadence. Engineering teams cover secure-coding topics.
Third-party vendors handling customer data go through security review before onboarding, sign a DPA, and are reassessed on an ongoing basis.
Your data. Your control.
Privacy is a discipline, not a banner. We minimize what we collect, name every sub-processor, give you the controls — and never train models on your data.
What we commit to
- Your data is never used to train AI models — ours or anyone else’s.
- Data Processing Agreement available, including Standard Contractual Clauses for EEA & UK transfers.
- Export and deletion of your data on request.
- Notice of sub-processor changes.
Found something? Tell us.
If you believe you’ve discovered a security issue in DevGrid, we’d like to hear about it. Email us with details and we’ll acknowledge promptly and keep you updated until it’s resolved.
Questions, answered.
If you’re filling out a vendor questionnaire, start here — most answers are below, and the rest are in the Trust Center.
Still have questions?
We have answers.
For procurement, vendor reviews, custom security requirements, or anything not covered here — reach out directly. A security engineer will respond, not a form.