Gryphin Trust Center

Security, privacy and compliance — transparent by default

Everything security, privacy and legal teams need to evaluate Gryphin in one place — including an honest account of what we have built, what we rely on our providers for, and what is still on the roadmap.

AES-256
Encryption at rest
TLS 1.3
Encryption in transit
Postgres RLS
Tenant isolation
TOTP
Multi-factor auth
Compliance

Compliance & frameworks

We would rather tell you what we don't have than let you assume it. Gryphin is not SOC 2 or ISO 27001 certified today — here is exactly where we stand.

NZ Privacy Act 2020

Our home jurisdiction

Aligned

Gryphin is built by Laika Dynamics Ltd, a New Zealand company, and operates under the Information Privacy Principles.

GDPR

Aligned; formal review underway

In progress

We follow GDPR principles for EU/UK personal data — lawful basis, data minimisation, access and erasure rights.

CCPA / CPRA

Aligned; formal review underway

In progress

We honour access, deletion and opt-out rights for California residents. We do not sell personal information.

SOC 2 Type II

Not yet certified — on our roadmap

Roadmap

Independent audit of security, availability and confidentiality controls.

ISO 27001

Not yet certified — longer-term goal

Roadmap

International standard for information security management systems.

Security questionnaires

Answered within a few business days

On request

Send us your vendor assessment and we will complete it honestly, including the controls we do not yet have.

Program

How we keep your data safe

Six pillars of our security program, engineered into the product rather than bolted on afterwards.

Encryption everywhere

AES-256 at rest and TLS 1.3 in transit, provided by Supabase for the database and Vercel for the application layer. HTTPS is enforced on every Gryphin domain.

Least-privilege access

Postgres Row Level Security enforces workspace boundaries on every query, so a request can only ever reach data its account owns. Role-based permissions govern what members can do inside a workspace.

Multi-factor authentication

TOTP-based two-factor authentication is available on every account, using any standard authenticator app. Sessions are managed by Supabase Auth.

Monitoring & abuse prevention

Sentry captures application errors and performance regressions in real time. Rate limiting on our APIs and Cloudflare Turnstile on public forms block automated abuse.

Managed infrastructure

Gryphin runs on Vercel with a Supabase-managed Postgres database and Cloudflare in front for CDN and DDoS protection. We patch by deploying, not by babysitting servers.

Privacy by design

We collect only what's required to operate the product. Customer data is never used to train AI models.

Data protection

Where your data lives, and what we do with it

Encryption at rest
AES-256
Applied by Supabase to the database and file storage.
Encryption in transit
TLS 1.3
Enforced on every connection to Gryphin.
Tenant isolation
Postgres RLS
Row Level Security policies on customer tables.
Multi-factor auth
TOTP
Available on every account, any authenticator app.
Bot protection
Turnstile
Cloudflare Turnstile plus API rate limiting.
Deletion
On request
Delete your account and we remove your data.
All systems operational

The infrastructure behind Gryphin

We run on managed platforms rather than servers of our own, so availability and patching are handled by providers who do it at scale. We don't publish an uptime SLA yet — if you need contractual availability terms, talk to us first.

Vercel
Hosting
Supabase
Database
Cloudflare
Edge & WAF
Ask us about availability

Continuity

Our database backups, redundancy and failover come from Supabase and Vercel at the platform level. We monitor the application layer ourselves.

  • Vercel global edge deployment
  • Supabase-managed Postgres with automated backups
  • Cloudflare DDoS protection and WAF
  • Sentry alerting on application errors
Sub-processors

Who we work with

The third parties that help us deliver Gryphin, updated whenever this list changes. Subscribe to be notified of any additions.

Sub-processorPurposeRegion
VercelApplication hosting, edge delivery, CDNGlobal edge
SupabasePostgres database, authentication, file storage, realtimeProvider-managed
CloudflareDNS, CDN, DDoS protection, Turnstile bot protectionGlobal edge
StripePayment processing & billingGlobal
ResendTransactional email deliveryUnited States
SentryError and performance monitoringUnited States
PostHogProduct analytics and feature usage insightsUnited States
OpenAIAI model provider for AI-powered featuresUnited States
OpenRouterAI model routing for task breakdown, chat and suggestionsUnited States

Last updated July 2026. We give notice before adding a new sub-processor that processes customer data. Google Workspace APIs are also used, but only for the Calendar and Drive integrations and only once you connect them.

Responsible disclosure

Found a vulnerability? Thank you. Email security@gryphin.app with reproduction steps. We're a small team, so we aim to acknowledge reports within two business days and will happily credit you publicly if you'd like.

In scope
  • · gryphin.app & subdomains
  • · The Gryphin web application
  • · Our public API endpoints
Out of scope
  • · Rate limiting / DoS testing
  • · Social engineering
  • · Third-party integrations

Talk to our security team

Evaluating Gryphin for your organization? We'll help your security and legal teams work through their questionnaire.

Looking for enterprise controls?

Some controls enterprises ask for aren't built yet. SSO/SAML, SCIM provisioning and selectable data residency are on the roadmap, not available today — tell us what you need and we'll be straight with you about timing.

Gryphin is built by Laika Dynamics Ltd, a New Zealand company. Last updated: July 2026.