Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

How We Protect Your Data

The internal controls, infrastructure, and standards that keep client data safe on Graphite's side.

Client data is protected by a layered system of internal controls — access discipline, encryption, infrastructure security, and continuous testing. Each layer is designed to reduce risk on its own and reinforce the others. This article walks through each piece.

For how these controls extend to the channels clients and Graphite use to communicate, see How Graphite Works With Client Data Securely.

Access Control

Every Graphite employee operates under a strict least-privilege model. Access is granted only where there's a specific, documented business need — no broad or default access to client data, internal file systems, or third-party platforms outside the scope of an individual's role.

Access is also fully automated. When an employee joins, changes roles, or departs, permissions are adjusted instantly based on predefined role-based rules. That eliminates the two most common sources of access risk: human error from manual provisioning, and lag between a role change and its corresponding permission update. Every access change is logged, producing a complete audit trail with no gaps.


Access discipline stays clean over time through a structured review cycle:

  • Routine audits of all user permissions across cloud and on-premises systems.
  • Immediate revocation when an employee departs — no waiting period.
  • Quarterly reviews of third-party integrations and API access.
  • Controlled escalation — any request for expanded access requires a documented approval workflow.

The combination of automated provisioning, least-privilege access, and continuous review is how Graphite prevents access sprawl, one of the leading causes of data breaches across the industry.

Infrastructure Security

Data is protected at every layer of Graphite's infrastructure — in motion, at rest, and in use.

  • Encryption key access Access to cryptographic material is restricted to authorized users with a documented business need. General employees do not have access to encryption keys.
  • Authentication Every system and application requires authentication via unique username and password or authorized SSH keys. Shared credentials are not permitted anywhere in the environment.
  • Anti-malware Anti-malware technology is deployed across every environment susceptible to attack. Definitions update routinely, activity is logged, and the solution runs on all relevant systems.
  • Portable media All portable and removable media devices are blocked at the endpoint level.
  • Password policy Credentials across every in-scope system component are required to conform to Graphite's password policy. Weak or non-compliant passwords aren’t permitted.

Email Security

Email is one of the most common areas for security threats, which is why Graphite protects it through three integrated layers of defense:

  • Mimecast (core gateway) All inbound and outbound email passes through Mimecast's security gateway. Spam is filtered, malicious attachments are sandboxed before delivery, impersonation attempts are intercepted, and email continuity is maintained even during server outages.
  • Mimecast Email Security (advanced threat protection) A layer on top of the core gateway that adds targeted threat intelligence, URL rewriting and click-time protection, and enhanced phishing detection — catching sophisticated threats that get past standard filters.
  • Mimecast Incyder (internal anomaly detection) Monitors internal-to-internal email patterns to detect insider threats, account compromise, and unusual data movement within the organization — surfacing issues that originate from inside the environment.

Endpoint Protection

Every device running Graphite operations is monitored and protected by SentinelOne — an AI-powered endpoint detection and response platform deployed on all employee devices. SentinelOne provides real-time behavioral analysis, autonomous threat containment, rollback capabilities for ransomware, full endpoint visibility, and active threat hunting across the entire device fleet. Protection covers zero-day threats and evolving attack patterns as they emerge.

Testing and Verification

Controls are only valuable if they hold up under pressure. Graphite tests the environment on a continuous cycle:

  • Penetration testing External pen testing is performed at least annually by independent assessors. A formal remediation plan follows every test, and identified vulnerabilities are resolved within defined SLAs.
  • Control self-assessments Internal control self-assessments run at least annually to verify that documented controls are in place and operating effectively. Corrective actions are tracked and closed within committed SLAs.
  • Vulnerability and system monitoring Formal policies define requirements for ongoing vulnerability management and continuous system monitoring, so threats are identified and addressed systematically rather than reactively.

Third-Party Vendor Standards

Client data lives in an ecosystem — Graphite's systems, the platforms the service team uses, and the tools that support the broader operation. Every third-party provider in that ecosystem is held to the same standard Graphite holds itself to.

Every vendor in the stack is required to maintain SOC 2 compliance. File storage, communication platforms, password management, endpoint protection, billing — no exceptions. If a provider doesn't meet the standard, they don't make it into the workflow.

Where to Go From Here

For how these controls extend to communication, document transmission, and day-to-day collaboration with you, see How Graphite Works With Client Data Securely. For employee training, device security, and how Graphite prepares for incidents, see Security Training, Response, and Resilience.