Security Practices At Graphite
How security is structured at Graphite, what's independently verified, and where to find more detail on each piece.
Trust starts with knowing how client data is handled.
Graphite works with financial data — the kind that runs businesses, supports your fundraises, and sits at the center of every decision leadership teams makes. Protecting that data is not a checkbox exercise, and security isn't a feature of the engagement. It's the foundation underneath it.
This article gives an overview of how security is structured at Graphite, what's independently verified, and where to find the specifics on each piece of the posture.
The Security Posture
Graphite's approach is built on five layers, each with its own set of controls, practices, and tooling. Every layer is designed to work with the others so protection compounds instead of stacking unevenly.
Access control
Every Graphite employee has only the access required to do their specific job — nothing more. Access is provisioned automatically based on role, adjusted instantly when a role changes, and revoked the moment an employee departs. Regular audits keep permissions clean over time, and every access change is logged and auditable.
Infrastructure and encryption
Data is encrypted at rest on every company-managed device, encrypted in transit through every communication channel, and protected by multi-factor authentication, unique credentials, and enterprise-grade endpoint security. Infrastructure is continuously monitored for threats and tested annually by independent penetration testers. More in How We Protect Your Data.
People
Every Graphite employee completes mandatory annual security awareness training — covering phishing, credential hygiene, incident reporting, and secure data handling. Personal devices aren't permitted to access client data, and every company-issued device runs under centralized management with full-disk encryption and real-time threat detection. More in Security Training, Response, and Resilience.
Partners
Every third-party platform in Graphite's stack — file storage, communication tools, password management, endpoint protection — is required to maintain SOC 2 compliance. If a vendor doesn't meet the standard, they don't make it into the workflow. More in How We Protect Your Data.
Resilience
Incident response plans, business continuity and disaster recovery plans, data backup policies, and cybersecurity insurance are all formally documented and tested annually. Risk assessments run on a yearly cycle to keep the defense strategy current against evolving threats. More in Security Training, Response, and Resilience.
Client Data, Isolated by Design
Each client is assigned a dedicated Google Drive, accessible only to the Graphite team members actively working on that engagement. No "anyone with the link" sharing is permitted — every document requires specific, named access — and the policy is enforced and monitored organization-wide in real time by DoControl, which catches and auto-remediates any violation the moment it happens.
The same isolation model applies to credentials. Every client has a dedicated 1Password vault, accessible only to employees on the engagement, protected by zero-knowledge encryption. Access tokens, login credentials, and sensitive account details for one client are completely siloed from every other.
This isolation is what makes it possible to guarantee that activity on one account can't affect any other. More on how the infrastructure and tooling works in How We Protect Your Data.
Independently Verified: SOC 2
Security practices at Graphite are independently audited, verified against the same formal standards applied to enterprise software providers and financial institutions.
Graphite maintains SOC 2 certification — the leading audit standard for service organizations handling sensitive data. SOC 2 reports are issued by independent auditors and evaluate controls across five Trust Service Criteria set by the AICPA: security, availability, processing integrity, confidentiality, and privacy. Graphite's certification covers security, availability, confidentiality, and privacy.
What that means in practice:
- Graphite's controls are verified by an external auditor against the same standard used by enterprise software providers and financial institutions.
- The certification is renewed annually, which means the posture stays current rather than drifting against evolving standards.
- Clients, prospects, and their security or compliance teams can request a copy of the current SOC 2 report by reaching out to their CSS (or AE, during the sales process). The report is available under NDA.
SOC 2 certification is also the standard Graphite extends outward — to every vendor in the stack, to every platform that touches client data, and to every partner handling work on Graphite's behalf.
Secure Collaboration With You
Every channel Graphite uses to communicate with clients is selected and configured with security as a primary criterion — email, Slack, Google Drive, SafeSend for sensitive document delivery, and Karbon for structured workflow collaboration. Each one is protected by enterprise-grade controls, monitored for unusual activity, and designed to work within the broader security posture.
Security is a shared responsibility, and the controls on Graphite's side are strongest when matched by good practices on yours — strong passwords, multi-factor authentication on your own systems, and prompt communication about staffing changes or access concerns on your end. More in How We Work With You Securely.
Where to Go From Here
The rest of the security content is organized into three deeper articles in the knowledge base:
- How We Protect Your Data Access control, encryption, authentication, infrastructure, client data isolation, and third-party vendor standards.
- How Graphite Works With Client Data Securely Communication channels, document transmission, secure collaboration practices, and what you can do on your side.
- Security Training, Response, and Resilience Employee training, device security, incident response, business continuity, and risk management.
For security questions that aren’t answered across these articles, reach out to the CSS. For security concerns that need immediate attention — suspected unauthorized access, unusual system behavior, or anything that looks off — see How to Submit Requests for how to flag it so the CSS and IT can respond quickly.