Security practices at Suregrid
We built Suregrid to help organizations strengthen their security posture. That starts with how we secure our own platform. Here is a transparent look at the measures we take to protect your data.
Enterprise-grade security by design
SOC 2 Type II Certified
Suregrid has completed SOC 2 Type II certification, independently verifying our security controls for data handling, access management, availability, and confidentiality over a sustained audit period.
Encryption Everywhere
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database-level encryption, encrypted backups, and key management through hardware security modules ensure data protection at every layer.
Strict Access Controls
Role-based access control with least-privilege enforcement across the platform. Multi-factor authentication required for all employees. Just-in-time access provisioning for infrastructure. Full audit trails on every action.
Tenant Isolation
Each customer's data is logically isolated at the application and database level. Cross-tenant access is architecturally impossible. AI models do not share training data between tenants.
Continuous Monitoring
Real-time intrusion detection, anomaly monitoring, and automated alerting across our infrastructure. We run SureCloud against our own environments and conduct regular SureHunt pentests on the Suregrid platform itself.
Vendor Risk Management
All third-party vendors and subprocessors undergo security assessments before onboarding. We maintain a current register of subprocessors and conduct annual reviews to ensure ongoing compliance with our security standards.
Infrastructure Security
Suregrid runs on hardened cloud infrastructure with network segmentation, web application firewalls, and DDoS protection. Production environments are isolated from development and staging. All infrastructure changes go through code review, automated testing, and controlled deployment pipelines. We maintain immutable infrastructure where possible, with servers rebuilt from verified base images rather than patched in place.
Application Security
Our development lifecycle incorporates security at every stage. All code undergoes peer review with a security-focused checklist. We run static analysis (SAST), dynamic analysis (DAST), and dependency scanning in our CI/CD pipeline. Critical vulnerabilities block deployment. We conduct regular threat modeling exercises for new features and maintain a comprehensive suite of security regression tests.
Data Protection
Customer Data is classified and handled according to sensitivity. Compliance evidence, cloud configurations, and pentest results are treated as the highest sensitivity tier. Data is encrypted at rest and in transit without exception. Backups are encrypted and stored in geographically separate locations. Data retention follows customer-configured policies, and deletion requests are honored within 30 days with cryptographic verification.
Incident Response
We maintain a documented incident response plan with defined severity levels, escalation procedures, and communication protocols. Our security team operates a 24/7 on-call rotation. In the event of a security incident affecting customer data, we commit to notifying affected customers within 72 hours of confirmed impact, providing a detailed incident report, and implementing corrective actions with verified remediation. We conduct post-incident reviews for all security events and share lessons learned internally.
Employee Security
All SurePass employees undergo background checks before joining. Security awareness training is mandatory upon onboarding and repeated annually. Engineers with production access complete additional security training specific to their role. We enforce a clean-desk policy, require full-disk encryption on all company devices, and use endpoint detection and response (EDR) software on all workstations.
Compliance and Certifications
Suregrid maintains the following certifications and compliance commitments: SOC 2 Type II (Security, Availability, Confidentiality), ISO 27001 alignment with planned certification, GDPR compliance for processing of EU personal data, support for customer HIPAA compliance requirements through a Business Associate Agreement (BAA) available upon request. We undergo annual third-party audits and penetration tests by independent security firms in addition to our own continuous testing.
Responsible Disclosure
We welcome security researchers to report vulnerabilities through our responsible disclosure program. If you discover a security issue in the Suregrid platform, please report it to security@surepass.io with a detailed description and steps to reproduce. We commit to acknowledging reports within 48 hours, providing status updates, and crediting researchers (with permission) once issues are resolved. We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them.
Penetration Testing Scope
SureHunt pentests are conducted exclusively within customer-authorized scope. Our AI agents operate under strict constraints: they test only explicitly approved targets, follow rules of engagement defined by the customer, do not exfiltrate real data, and generate findings with sanitized proof-of-concept evidence. All pentest activity is logged and auditable. Customers retain full control over test scheduling, scope, and intensity.
Contact Our Security Team
For security questions, vulnerability reports, or to request our SOC 2 report, contact: SurePass Technologies Private Limited, Security Team, email: security@surepass.io. For compliance and audit inquiries: compliance@surepass.io.