Security, privacy and compliance — transparent by default
Everything security, privacy and legal teams need to evaluate Gryphin in one place — including an honest account of what we have built, what we rely on our providers for, and what is still on the roadmap.
Compliance & frameworks
We would rather tell you what we don't have than let you assume it. Gryphin is not SOC 2 or ISO 27001 certified today — here is exactly where we stand.
NZ Privacy Act 2020
Our home jurisdiction
Gryphin is built by Laika Dynamics Ltd, a New Zealand company, and operates under the Information Privacy Principles.
GDPR
Aligned; formal review underway
We follow GDPR principles for EU/UK personal data — lawful basis, data minimisation, access and erasure rights.
CCPA / CPRA
Aligned; formal review underway
We honour access, deletion and opt-out rights for California residents. We do not sell personal information.
SOC 2 Type II
Not yet certified — on our roadmap
Independent audit of security, availability and confidentiality controls.
ISO 27001
Not yet certified — longer-term goal
International standard for information security management systems.
Security questionnaires
Answered within a few business days
Send us your vendor assessment and we will complete it honestly, including the controls we do not yet have.
How we keep your data safe
Six pillars of our security program, engineered into the product rather than bolted on afterwards.
Encryption everywhere
AES-256 at rest and TLS 1.3 in transit, provided by Supabase for the database and Vercel for the application layer. HTTPS is enforced on every Gryphin domain.
Least-privilege access
Postgres Row Level Security enforces workspace boundaries on every query, so a request can only ever reach data its account owns. Role-based permissions govern what members can do inside a workspace.
Multi-factor authentication
TOTP-based two-factor authentication is available on every account, using any standard authenticator app. Sessions are managed by Supabase Auth.
Monitoring & abuse prevention
Sentry captures application errors and performance regressions in real time. Rate limiting on our APIs and Cloudflare Turnstile on public forms block automated abuse.
Managed infrastructure
Gryphin runs on Vercel with a Supabase-managed Postgres database and Cloudflare in front for CDN and DDoS protection. We patch by deploying, not by babysitting servers.
Privacy by design
We collect only what's required to operate the product. Customer data is never used to train AI models.
Where your data lives, and what we do with it
The infrastructure behind Gryphin
We run on managed platforms rather than servers of our own, so availability and patching are handled by providers who do it at scale. We don't publish an uptime SLA yet — if you need contractual availability terms, talk to us first.
Continuity
Our database backups, redundancy and failover come from Supabase and Vercel at the platform level. We monitor the application layer ourselves.
- Vercel global edge deployment
- Supabase-managed Postgres with automated backups
- Cloudflare DDoS protection and WAF
- Sentry alerting on application errors
Who we work with
The third parties that help us deliver Gryphin, updated whenever this list changes. Subscribe to be notified of any additions.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel | Application hosting, edge delivery, CDN | Global edge |
| Supabase | Postgres database, authentication, file storage, realtime | Provider-managed |
| Cloudflare | DNS, CDN, DDoS protection, Turnstile bot protection | Global edge |
| Stripe | Payment processing & billing | Global |
| Resend | Transactional email delivery | United States |
| Sentry | Error and performance monitoring | United States |
| PostHog | Product analytics and feature usage insights | United States |
| OpenAI | AI model provider for AI-powered features | United States |
| OpenRouter | AI model routing for task breakdown, chat and suggestions | United States |
Last updated July 2026. We give notice before adding a new sub-processor that processes customer data. Google Workspace APIs are also used, but only for the Calendar and Drive integrations and only once you connect them.
Documents & policies
Our published policies are below. We don't yet have a standalone security whitepaper, DPA or SCC pack — if your legal team needs specific data processing terms, contact us and we'll work through them with you.
How we collect, use and protect personal data.
The legal terms governing your use of Gryphin.
Every third party that touches customer data.
Send us yours — we'll complete it and answer follow-ups.
How to report a vulnerability, and what happens next.
Get told before we add a new processor of customer data.
Responsible disclosure
Found a vulnerability? Thank you. Email security@gryphin.app with reproduction steps. We're a small team, so we aim to acknowledge reports within two business days and will happily credit you publicly if you'd like.
- · gryphin.app & subdomains
- · The Gryphin web application
- · Our public API endpoints
- · Rate limiting / DoS testing
- · Social engineering
- · Third-party integrations