Trust Center

This page answers the first security and vendor review questions teams ask before they put Gramm into production.

Core infrastructure providers

Application hosting

SOC 2 Type II

Database & authentication

SOC 2 Type II

Payment processing

PCI DSS Level 1

Caching & rate limiting

SOC 2 Type II

Encryption

In transit

All data encrypted via TLS 1.3. API endpoints enforce HTTPS. No plaintext connections accepted.

At rest

Database encrypted with AES-256. Backups encrypted. File storage encrypted.

API keys

Stored as SHA-256 hashes. Plaintext shown once on creation, never stored or logged. Keys are prefixed (grmm_) for easy identification.

Access Controls

API auth

Bearer token authentication on all endpoints. Per-user rate limiting with sliding window prevents abuse.

Dashboard

Session-based authentication with OAuth (Google, GitHub) or email/password. Protected routes require authenticated sessions.

Database

Row-Level Security enabled on all tables. Service-level access restricted to backend API routes only.

How Gramm handles data

Input data

Gramm ingests publicly available grid demand data from US ISOs and weather data from public sources. No customer data is used as model input.

Forecasts

Pre-computed on schedule and served from cache. API queries do not trigger model inference. No customer-specific model training.

Logging

Request metadata logged for rate limiting and billing. Response bodies are not logged. Logs retained for 35 days maximum.

Incident Response

In the event of a security incident affecting customer data:

Affected users notified within 72 hours
Incident details published on our status page
Root cause analysis shared with affected customers
Remediation timeline communicated

Report a vulnerability: hello@gramm.aiwith subject “Security”.

Need a questionnaire or architecture notes?

Send your review packet and timeline to hello@gramm.ai. Gramm can complete security questionnaires and provide procurement support during review.

Status page Service levels Procurement FAQ

Common questions from security and procurement teams

Is Gramm SOC 2 certified?

Gramm is not currently SOC 2 certified. Core infrastructure providers are SOC 2 Type II certified, and Gramm supports procurement review with current controls, questionnaires, and architecture materials.

Where is data stored?

Primary database in US East. Application served from global edge network. Cache in US West. All within SOC 2 certified data centers.

Do you have a security questionnaire?

Yes. Email hello@gramm.ai and we will complete your vendor security questionnaire.

Can I delete my data?

Yes. Delete your account from Dashboard → Settings, or email us. All data permanently deleted within 30 days.