Platform
© 2026 Grasp — All rights reserved.
Security is not a checklist we caught up to. It shaped the architecture. These are the principles we hold ourselves to, every release.
AES-256 at rest, TLS 1.3 in transit. Customer-managed keys available on enterprise plans, with envelope encryption for the most sensitive fields.
Every request is authenticated, authorised, and logged. No implicit network trust. Service-to-service traffic is mutually authenticated and short-lived.
SSO, MFA, and role-scoped permissions out of the box. SCIM provisioning, JIT access for engineers, and granular audit trails for everything.
24/7 detection across our infrastructure with immutable audit logs. We alert on anomalies in seconds, not after the fact.
Independent penetration tests every release cycle, a private bug bounty programme, and continuous vulnerability scanning across our supply chain.
Mandatory code review, signed commits, dependency scanning on every PR, and a hardened build pipeline. Security reviews happen before the merge, not after the incident.
The map of your AI estate is among the most sensitive datasets a vendor can hold. We treat it that way with storage you choose, access you authorise, and ownership you keep.
Tiered storage tuned to data sensitivity. EU-resident by default with optional regional pinning. Your data is never used to train or fine-tune any AI model.
Zero-trust throughout: no user or system is implicitly trusted. Engineer access to customer data requires written approval and is fully logged.
Your data, your decisions. Configurable retention, BYOK encryption keys, SSO and SCIM, plus a one-click data export.
We meet European companies where they are with EU-based infrastructure, the frameworks they are held to, and the documentation to prove it.
Controls mapped to ISO 27001. Certification audit underway. We can share our current Statement of Applicability under NDA.
Type I report available today; Type II observation period in progress. Reports shared directly with prospective customers on request.
Built around the GDPR from day one. Clear DPA, sub-processor list, and data subject rights tooling included on every plan.
Hosted entirely in the European Union. Your data never leaves the EU, and you choose which region it lives in.
If something is missing here, your account team can answer it directly under NDA.
All data is encrypted in transit using TLS 1.3 (TLS 1.2 minimum) and at rest with AES-256. Enterprise customers can manage their own encryption keys (BYOK) for additional control, and we use envelope encryption for the most sensitive fields.
Grasp is hosted entirely in the European Union. Your data never leaves the EU, and on higher plans you choose which EU region it lives in. We never transfer customer data outside the EU without your written approval.
No. Your data is yours. We never use customer data to train, fine-tune, or evaluate our own models or any third-party model.
By default, no Grasp employee can access customer data. For support-related issues, access requires your written approval, is time-bound, and is fully audit-logged.
SSO via SAML or OIDC, enforced MFA, SCIM user provisioning, and role-scoped permissions out of the box. Every action is recorded in an immutable audit log you can stream out.
Independent penetration tests run every release cycle using an assume-breach methodology. We also operate a private bug bounty programme and run continuous vulnerability scanning.
On contract termination, you can request a full export of your data. After the agreed wind-down window, all data is permanently deleted, with deletion certificates available on request.
We are aligned to ISO 27001 and SOC 2, Grasp is GDPR-native, and we publish how our controls map to the EU AI Act, NIS2, and ISO 42001.