Grantigo · Security & privacy
Security & privacy

What ends up with Grantigo stays with Grantigo.

We know information about your business is sensitive. Security isn't a feature, it's the foundation we build on. Here's how, in plain language.

GDPR · Data within EU (Frankfurt) Zero Data Retention EU-US Data Privacy Framework EU AI Act · Limited-risk SSO & SCIM 2.0
Technical overview

Data protection and system integrity at Grantigo.

An overview of technical and organisational measures under GDPR Art. 32. Design choices, remaining trade-offs and references to relevant standards.

Network isolation

Defence in depth between the application layer and the data layer.

Transport
TLS for all external HTTP traffic (client ↔ API). Data in transit is encrypted.
Internal traffic
API ↔ database over a private Docker network. The database port is not publicly exposed.
Ref: OWASP ASVS V9 (Communication)

Privacy-focused logging

Structured logging (Serilog) with deliberate restraint on personal data in cleartext.

Content
Technical events and reference IDs (e.g. ProjectId) are prioritised over direct identifiers.
Debugging
Verbose debug channels are environment-controlled and disabled in production.
Caveat: some identifiers can be correlated, analysis ongoing.

Erasure & anonymisation

Differentiated handling when exercising the right to erasure (GDPR Art. 17).

Accounts
Hard delete of identity and personal settings, not just deactivation.
Feedback
Anonymisation: the link to the individual is removed, but aggregated signal is retained for model evaluation.
External systems
Deletion instructions are forwarded to data processors (e.g. Stripe).
Trade-off: model utility vs. stricter erasure, documented and auditable.

Continuous verification

Security is treated as an ongoing process, not a one-off check.

Static analysis
SAST in CI; container scanning via Trivy and Checkov.
Dynamic analysis
DAST against deployed environments.
Payments
PCI scope is minimised by delegation to Stripe, no card data in our systems.
Ref: NIST SSDF, OWASP SAMM

Data minimisation

Each field is justified by the core service: matching organisations to grants.

What
Financial KPIs and a business description, required for eligibility assessment.
Business objects
Soft delete with time-bounded retention for restoration; distinct from accounts.
Ref: GDPR Art. 5(1)(c) Data minimisation

Your data never trains our AI

What you share is used solely to match you to funding, never to train AI models or share with third parties.

Zero Data Retention
AI calls go through OpenAI under a ZDR agreement. No drafts persist with the model provider.
No reuse
Your project descriptions are yours. Period.
Ref: EU AI Act · Limited-risk classification
"What ends up with Grantigo stays with Grantigo."
This overview describes our current implementation. Documentation, threat model and DPIA are available on request for research collaborations and Enterprise evaluation.
Frameworks & standards

What we follow, and how we apply it.

Not a checkbox exercise. Each framework is reflected in how the product is actually built.

GDPR

Full compliance

Data Processing Agreement (DPA) included for Enterprise. Hard delete on account removal.

Status: Active
EU-DPF

Data Privacy Framework

Applied for data transfers to subprocessors per Schrems II.

Status: Active
EU AI Act

Limited-risk classification

Transparent model documentation, decision support, data handling.

Status: Active
VR

Swedish Research Council, AI guidelines

AI detection on drafts, flags passages that need human language.

Status: Active
SSO/SCIM

SAML 2.0 / OIDC / SCIM 2.0

Federation with Azure AD, Okta, ADFS. Automated lifecycle management.

Status: Enterprise
Procurement

Kammarkollegiet framework

Available for software and cloud services. ISO 27001 on roadmap.

Status: Active
What we don't do

Security is also what you choose not to do.

Clear commitments, so you don't have to guess.

For compliance teams

Documentation you can reference.

Need a DPA, security overview or threat model for internal audit? Reach out, we'll send it.

DPA

Data Processing Agreement

Standard template for Enterprise. Adaptable to sector-specific requirements.

Request document → Security

Security overview & architecture

Topology, data flows, encryption strategy, access model.

Request document → AI Act

AI model documentation & DPIA

EU AI Act-conformant: model choice, training data, decision support, threat model.

Request document →
Questions for the security team?

Reach out, we answer concretely.

Compliance questions are typically answered within one business day. For Enterprise evaluation we book a technical walkthrough with our DPO.

Contact the security team → For public sector