Security certifications

Granica maintains the highest level of data security by incorporating industry leading best practices into our information security program. We are dedicated to obtaining and maintaining industry recognized security and privacy third party certifications, and to working with independent, CBA-registered CPA firms to regularly audit our program and attest to our certifications.

Benefits for our customers:

• Increased visibility and confidence in our information security program and overall operations
• Increased ease in onboarding Granica as a vendor

Benefits for Granica:

• Ensures we continue to align with industry best practices to meet the requirements of a strong and comprehensive information security program
• Streamlines the process of sharing information on our security program with potential and existing customers

Current

• SOC 2 Type 1 Report: The SOC 2 report focuses on a business's non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system, as opposed to SOC 1/SSAE 16 which is focused on the financial reporting controls. The SOC 2 Type 1 (or Type I) report evaluates the effectiveness of the deployed controls at a point in time.

• SOC 2 Type 2 Report: The Type 2 (or Type II) report evaluates the effectiveness of deployed controls over a period of time. This report provides greater assurance and is more comprehensive than the Type 1 report.

Planned (Roadmap)

• ISO/IEC 27001 Report: An international standard that evaluates the effectiveness of an information security management system (ISMS). ISO/IEC 27001 addresses people and processes as well as technology.

Requesting a copy of the Granica SOC 2 Reports

SOC 2 Reports are restricted and cannot be shared publicly. We can only share SOC 2 reports upon request with prospective customers under NDA or with current customers bound by confidentiality agreements.

To request our SOC 2 report, contact security@granica.ai and provide the following information:

• Company Name
• Report Requestor name
• Report Requestor email
• Report Requestor Job Title

You will receive an acknowledgement email within one business day.

SOC Overview

The American Institute of CPAs (AICPA) has developed a suite of System and Organizational Controls (SOC) reports. The reports are divided into three categories:

• SOC for Service Organizations
• SOC for Cybersecurity
• SOC for Supply Chain

The SOC for Service Organizations category is classified into:

• SOC 1 — Internal Controls over Financial Reporting (ICFR)
• SOC 2 — Trust Services Criteria
• SOC 3 — Trust Service for General Use Report

SOC 2 Trust Services Criteria

According to AICPA, the SOC 2 Report covers controls relevant to:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

The report must contain Security (Common Criteria), with the remaining Trust Services Criteria included if applicable.

SOC 2 Type 1 vs Type 2

• Type 1 evaluates the effectiveness of deployed controls at a point in time.
• Type 2 evaluates the effectiveness of deployed controls over a period of time, providing greater assurance.

HIPAA Compliance

If a customer's cloud environment is HIPAA compliant and proper controls around data handling, access, and separation are implemented, then using Granica can be part of an overall HIPAA-compliant architecture. This is because Granica does not directly handle protected health information (PHI):

• Data stays within the customer's own HIPAA-compliant cloud environment and Granica does not have access to actual data contents
• Granica relies on the cloud provider's native encryption for data at rest and in transit
• The Granica control plane runs within the customer's VPC and follows their security policies
• Data isolation happens automatically if the customer uses separate buckets per tenant