Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

How Graphite Works With Client Data Securely

Secure communication, document transmission, and client data isolation throughout the engagement.


Security extends to every point of contact between Graphite and the client — the channels we use, the way sensitive documents move between us, and the habits on both sides that keep client data protected throughout the engagement.

This article walks through how communication and collaboration are secured, how client data stays isolated to each engagement, and what clients can do to keep the posture strong.

Client Data, Isolated by Design

Every client at Graphite operates in a fully isolated environment.

Each client is assigned a dedicated, isolated Google Drive, accessible only to the Graphite team members actively working on that engagement. Every document requires specific, named access — sharing is permission-based and tracked at the file level. The policy is enforced and monitored organization-wide in real time by DoControl, which catches and auto-remediates any violation the moment it happens.

The same isolation applies to credentials. Every client has a dedicated 1Password vault, accessible only to employees assigned to the engagement, protected by zero-knowledge encryption. Credentials, access tokens, and sensitive account details stay siloed within the vault for each engagement. Stored secrets remain encrypted at every layer, with access logged and auditable

This isolation model is what allows Graphite to guarantee that activity on one account stays fully contained to that account.

The Channels

Every channel Graphite uses to communicate with clients is selected and configured with security as a primary criterion. Each one is monitored, logged, and held to the broader security standard.

Channel

Security properties

Email (Mimecast-protected)

All inbound and outbound email passes through Mimecast's security gateway. Malicious attachments are sandboxed before delivery. Phishing attempts are intercepted before reaching inboxes. All email transmission uses TLS encryption in transit.

Slack

Secure messaging for real-time client and internal communication. Enterprise-grade encryption in transit and at rest. Access governed by invite-only workspace controls and monitored for data exfiltration patterns.

Google Drive

Each client has a dedicated, isolated Google Drive accessible only to the Graphite team members assigned to each engagement. Access is permission-based and tracked at the file level. All sharing activities are logged and monitored in real time.

SafeSend

Dedicated secure file delivery platform for sensitive documents — tax returns, financial statements, legal documents. Provides encrypted file transfer, recipient authentication, and a full delivery audit trail.

Karbon

Client-facing project management and workflow collaboration tool. Provides a structured, auditable communication layer for managing engagements, requests, and deliverables.

The CSS will confirm during onboarding which channels are required and walk through how to work within each one.

Sending and Receiving Sensitive Documents

For documents that carry sensitive financial or legal content — tax returns, financial statements, ownership records, audit materials — Graphite uses SafeSend for secure transmission.

SafeSend provides three specific protections:

  • Encrypted file transfer end to end, so documents in transit are protected against interception.
  • Recipient authentication, ensuring only the intended person can open the document.
  • Delivery audit trail, so every send, open, and download is logged and traceable.

When Graphite sends a SafeSend link, the client receives an email with a secure link and authentication prompt. The document stays within the SafeSend platform, with full encryption and authentication controls from send to receipt.

What Clients Can Do

Security is a shared responsibility. The controls on Graphite's side are strongest when matched by good practices on the client’s:

  • Strong, unique passwords on the systems you grant Graphite access to — accounting platforms, banking, payroll, and similar. Use a password manager wherever possible.
  • Multi-factor authentication on company email, cloud storage, and financial systems. MFA is one of the single most effective controls against credential compromise.
  • Prompt communication on staffing changes. When someone a team member joins or leaves — especially someone with access to financial systems — let the CSS know right away. Graphite will update access accordingly on our side.
  • Flag anything that looks off. Unexpected login prompts, strange emails claiming to be from Graphite, suspicious system behavior — raise it with the CSS immediately.

Reporting a Suspected Security Issue

Contact your CSS right away about anything that looks like unauthorized access, unusual activity on a Graphite-managed system, a phishing email claiming to be from Graphite, or any other security concern. For the full submission process — what to include in the message, what to expect back, and how requests are routed — see How to Submit Requests. For genuinely urgent issues, mark the message URGENT in the subject line. Your CSS will pull in IT and escalate internally right away.

Where to Go From Here

For the internal controls, authentication, and infrastructure protecting client data on Graphite's side, see How We Protect Your Data. For how Graphite's employees are trained and how we prepare for unexpected events, see Our People and How We Prepare.