Security & Trust

Security at Gravicity

Your content is your business. We protect it with enterprise-grade infrastructure, encryption at every layer, and a security-first engineering culture.

Infrastructure

Built on modern cloud infrastructure with security at every layer.

Hosting

Gravity Studio is hosted on enterprise-grade cloud infrastructure in Canada, ensuring data residency compliance for Canadian organizations.

Redundant architecture with automated failover ensures high availability.

Encryption

In transit: All data encrypted with TLS 1.2 or higher. HSTS enforced across all endpoints.

At rest: AES-256 encryption for all stored data, including database contents and file uploads.

Backups

Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate locations.

Backup restoration is tested regularly to ensure data recoverability.

Data Protection

Your data is isolated, access-controlled, and audit-logged.

Tenant Isolation

Each workspace operates in complete isolation. Data is logically separated at the database level, ensuring no cross-tenant data access.

Access Controls

Role-based access control (RBAC) with granular permissions. Administrators can define custom roles and control access to individual content types and operations.

Audit Logging

Every content change, login event, and administrative action is recorded in an immutable audit log. Logs include user identity, timestamp, action, and affected resources.

Authentication

Secure access with modern authentication standards.

Multi-Factor Authentication

MFA support for all accounts. Administrators can enforce MFA across their organization for an additional layer of security.

SSO Integration

Single Sign-On via SAML 2.0 and OpenID Connect. Integrate with your existing identity provider for centralized user management.

Role-Based Access

Fine-grained permissions with predefined roles (Admin, Editor, Reviewer, Viewer) and custom role creation. Principle of least privilege enforced by default.

Compliance

Our compliance posture and roadmap for industry certifications.

PIPEDAActive

Full compliance with Canada's Personal Information Protection and Electronic Documents Act, including breach notification (s. 10.1), consent management, and data retention requirements.

Quebec Law 25Active

Privacy Impact Assessments, privacy-by-default settings, cookie consent mechanisms, and data portability rights as required by Quebec's modernized privacy framework.

GDPRActive

Data processing agreements, Standard Contractual Clauses for cross-border transfers, data subject rights fulfillment, and 72-hour breach notification for EU/EEA users.

CASLActive

Full compliance with Canada's Anti-Spam Legislation for all electronic communications, including express consent requirements and unsubscribe mechanisms.

SOC 2 Type IIPlanned

Working toward SOC 2 Type II certification covering Security, Availability, and Confidentiality Trust Service Criteria. Our current security practices are aligned with the SOC 2 framework.

AI Data Handling

How we protect your data when AI features are used.

No Training on Your Data

Under our commercial API agreements with AI providers, your data is never used to train AI models. Your content remains yours.

Encrypted Processing

All data sent to AI providers is encrypted in transit. We use only providers with enterprise-grade data processing agreements and security certifications.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue in Gravity Studio, we encourage you to report it responsibly.

Report a Vulnerability

Please email our security team with details of the vulnerability. Include steps to reproduce, potential impact, and any suggested fixes.

security@gravicity.io

We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days. We will not take legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

Have Security Questions?

Our team is available to discuss your security requirements, provide compliance documentation, or answer questions about our security practices.