Security & Enterprise Controls

Gradaris is a secure, auditable control plane for AI systems — built with enterprise-grade identity, monitoring, and governance controls. We operate outside your data perimeter, processing only governance metadata. Here is exactly how the platform is built, secured, and controlled.

The data perimeter principle

Gradaris never receives, processes, or stores the content your AI agents handle. We receive only cryptographic hashes (SHA-256) of inputs and outputs, timing measurements, and structural telemetry. The data your agents process — customer records, financial data, medical information — remains entirely within your own infrastructure. This is an architectural commitment, not a policy.

Enterprise Controls

Gradaris is built for regulated organisations. Every layer of the platform reflects the security and compliance requirements of enterprise and financial services deployments.

Identity

SAML SSO, role-based access control, and full user lifecycle management. Integrates with Okta, Azure AD, Google Workspace, and any SAML 2.0 provider.

Audit

Complete, tamper-evident event logging for all governance actions, SSO events, assessments, and API calls — queryable and exportable for regulators and auditors.

Monitoring

Automated alerts for governance score changes, control failures, policy violations, and certificate expiry. Delivered via email, webhook, or the platform notification centre.

Integration

REST API and webhook events for all key governance actions. SDK available for Python. No-code integration via Zapier and Make. All API access is authenticated and scoped.

Infrastructure

AWS hosted

All infrastructure runs on Amazon Web Services in a primary US region. Environments are fully segregated with no shared network paths.

Network isolation

Application and database tiers have no direct internet exposure. All inter-service traffic flows through hardened internal network controls.

Database

All governance data stored in a managed relational database with encryption at rest (AES-256). Automated backups and high-availability configuration in production.

TLS 1.3 in transit

All API traffic encrypted with TLS 1.3. HTTPS enforced everywhere — no plaintext connections accepted. HSTS headers set with 1-year max-age.

Authentication & access control

Gradaris uses database-driven session authentication with server-side session management. Sessions are scoped to tenant with per-session API key routing, ensuring that no cross-tenant data access is possible even within a shared infrastructure environment.

Identity & Access Control

Gradaris supports SAML-based Single Sign-On (SSO), enabling secure integration with enterprise identity providers including Okta, Azure AD, Google Workspace, and any SAML 2.0-compatible provider. Access is centrally managed and auditable, aligning with enterprise security and governance requirements.

  • SAML SSO integration: Enterprise identity provider connectivity with support for metadata XML and manual configuration. SP metadata available for IdP administrator setup.
  • JIT user provisioning: Users are automatically provisioned on first SSO login based on identity provider group membership and configured role mappings.
  • SSO enforcement: Administrators can enforce SSO organisation-wide, blocking password-based login for all non-superadmin accounts.
  • Break glass access: Time-limited, auditable emergency bypass tokens for recovery when SSO is unavailable. All break glass events are logged.
  • SSO audit log: Every login attempt, provisioning event, configuration change, and enforcement action is recorded and queryable by administrators.
  • Role-based access control (RBAC): Admin and Member roles, with expanded role definitions on the roadmap.
  • API keys: SHA-256 hashed at storage. Scoped to a single tenant. Rotatable at any time without service interruption.
  • Elevated administration: Platform-level administrative functions are protected by elevated authentication controls, separate from tenant credentials.
  • Session expiry: Sessions expire after a period of inactivity. Forced re-authentication on sensitive operations.

Cryptographic integrity

Every GGS assessment report is cryptographically sealed. The integrity hash covers the full assessment payload — methodology version, all criterion scores, tier weights, and the composite grade. Any post-hoc modification is detectable.

Agent-to-agent (A2A) trust calls are authenticated and every interaction is recorded in an immutable audit chain with full lineage, EU AI Act Article 12 aligned.

Evidence packages can be independently verified by regulators, auditors, or legal counsel using the public Gradaris Verification API — no Gradaris account required for verification.

Vulnerability disclosure

If you discover a potential security vulnerability in the Gradaris platform, please report it responsibly to info@gradaris.com. We will acknowledge receipt within 24 hours and provide a resolution timeline within 5 business days. We do not pursue legal action against good-faith security researchers.

Compliance

Gradaris is designed to support your compliance obligations under EU AI Act Article 12 (logging and monitoring), Article 10 (data governance), and Article 9 (risk management). Formal certifications including SOC 2 Type II and ISO 27001 are on the roadmap. Contact us for current compliance documentation and security questionnaire responses.

← Previous
Badges API
Questions?
Contact Us →