Security and Compliance

GRAX is a purpose-built high-security data processing app designed to deliver an efficient backup, archive, and restore experience while satisfying the regulatory and compliance requirements that customers face. Security is a primary design factor in all components of the GRAX app, including infrastructure designs.

Fully Committed

At GRAX we know we are in the privileged position of handling our customers' most valuable asset - their data. We are committed to our customers and their reliance on GRAX to handle their data correctly and in accordance with the regulatory frameworks they need to comply with. As an organization, we are committed to operating with honesty, integrity, and compliance.

Certifications, Audits, and Reviews

GRAX has been audited to achieve SOC 2 Type 2 compliance across the platform. Alongside our security audits, our Salesforce Managed Package has been vetted and passed a rigorous and ongoing security review by Salesforce. GRAX is deployed into public cloud ecosystems and builds upon the security and compliance posture of those underlying services. For details on our compliance audit, email GRAX Support.

If you require the provision of a BAA to support your HIPAA compliance, email GRAX Support.

GRAX provides customers with mechanisms for authorized users to permanently delete data related to an individual (or multiple individuals). This feature is available within all product offerings.

Salesforce customers can support their PCI compliance by using Encrypted Custom Fields as the mechanism to store sensitive payment data in their Salesforce app. The GRAX app respects the Salesforce sharing and permissions model, so individual customers can configure the GRAX user with "View Encrypted Data" permission according to their needs. Data that is handled by GRAX is encrypted in transit using TLS 1.2 and data at rest can be encrypted according to the service provider chosen.

Salesforce Features

GRAX fully adheres to Salesforce's field and encrypted visibility settings. If a field is hidden from a user of your Salesforce org, they are unable to view that data in GRAX in any capacity. If fields are encrypted in Salesforce, GRAX must have the related permissions to view that data before it can back it up or modify it.

Infrastructure Providers

The GRAX app can be run in a number of public cloud providers. GRAX uses AWS as a primary infrastructure provider, but also supports customer-managed installations in Azure and GCP. For the underlying security and compliance documentation for those platforms, please refer to the relevant provider's documentation.

Data Protections

All data is encrypted in-flight with TLS 1.2 and encrypted at rest with each provider's standard data storage encryption (that is AWS's AES-256).

Server Protections

The GRAX app server only processes and responds to HTTPS requests. HTTP requests are ignored/rejected.

Secrets Management

GRAX uses the app database for storage of the configuration values that control connections to storage and Salesforce as well as licensing information. it's recommended that the entire database storage volume be encrypted by default; regardless, GRAX encrypts the secrets additionally before they are stored in the database. This means that even users with access to the database cannot read those values without the key utilized by the GRAX app.

In the Salesforce Managed Package, GRAX uses a Protected Custom Setting inside Salesforce to store tokens required for authentication. This is recommended practice as part of the Secure Coding Guidelines provided by Salesforce.

Legacy Heroku

Previous versions of the GRAX Platform have been deployed to customers using the Heroku PaaS. Heroku provides customers a network isolated environment called a Private Space that has previously been used when provisioning GRAX for customers. If you would like the compliance and security information that is particular to this type of legacy configuration, please contact GRAX Support.