Security
Last Updated: March 3, 2026
Security is foundational to Gryffi. We understand that you're trusting us with your organization's training content and employee data. This page explains the security measures we implement to protect your information.
100% EU Infrastructure: All data processing occurs within the European Union. Our servers are in Germany, AI processing is in France, and we never transfer data outside the EU.
No US Cloud Dependencies: We use European infrastructure providers to ensure your data remains under EU jurisdiction and GDPR protection.
1. Infrastructure Security
Our infrastructure is designed with security and data sovereignty as core principles.
Hosting Environment
| Service | Provider | Location |
|---|---|---|
| Application Servers | Hetzner (ISO 27001 certified) | Nuremberg, Germany |
| Database | Hetzner | Nuremberg, Germany |
| Backups | OVHcloud (encrypted at rest) | Frankfurt, Germany |
| AI Processing | Mistral AI | France |
| Payment Processing | Paddle (PCI-DSS compliant) | EU/UK |
Network Security
- All traffic encrypted with TLS 1.2 or higher
- HTTPS enforced on all endpoints
- Regular security updates and patching
- Firewall protection with restricted access
2. Data Protection
Encryption
- In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2+
- Passwords: User passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plain text
- API Keys: API keys are securely hashed and can only be viewed once upon creation
Data Isolation
- Each organization's data is logically isolated in our database
- Strict access controls prevent cross-organization data access
- End users can only access journeys they've been explicitly invited to
Data Retention
- Deleted items are moved to trash and retained for 14-90 days depending on your plan
- After account deletion, data is permanently removed within 30 days
- Backups are retained according to your subscription tier (7-30 days)
3. Authentication & Access Control
For Makers (Administrators, Editors)
- Email/Password Authentication: Secure login with password requirements
- Two-Factor Authentication (2FA): Optional email-based verification code for additional security
- Session Management: Automatic session expiry and ability to sign out of all devices
- Failed Login Protection: Temporary account lockout after multiple failed attempts
Password Requirements
| Requirement | Minimum |
|---|---|
| Length | 8 characters |
| Uppercase letters | At least 1 |
| Lowercase letters | At least 1 |
| Numbers | At least 1 |
| Special characters | At least 1 |
For End Users (Journey Participants)
- Magic Link Authentication: Passwordless access via secure, time-limited email links
- Single-Use Tokens: Each magic link can only be used once
- No Password Storage: End users don't need to create or remember passwords
4. Role-Based Access Control
Gryffi implements granular permissions to ensure users only access what they need.
| Role | Permissions |
|---|---|
| Admin | Full access: manage organization, subscription, all journeys, guides, and users |
| Manager | Create and manage journeys, manage end users, view analytics |
| Editor | Create and edit assigned journeys only |
| Viewer | View-only access to journeys |
5. Backup & Recovery
We implement automated backup procedures to protect against data loss. All backups are fully encrypted at rest and stored separately from our primary infrastructure for additional redundancy.
| Feature | Professional | Enterprise |
|---|---|---|
| Daily Automated Backups | Yes | Yes |
| Backup Encryption | Encrypted at rest | Encrypted at rest |
| Backup Retention | 7 days | 30 days |
| Trash Retention | 30 days | 90 days |
| Backup Location | Frankfurt, Germany (OVHcloud) | Frankfurt, Germany (OVHcloud) |
6. Third-Party Security
We carefully vet all third-party services and limit them to EU-based or GDPR-compliant providers.
AI Processing (Mistral AI)
- AI Guides are powered by Mistral AI, a French AI company
- All AI processing occurs in France
- Your knowledge base content is used only to answer questions within your organization
- Mistral AI does not train on your data
Payment Processing (Paddle)
- Paddle is our Merchant of Record for all payments
- PCI-DSS Level 1 compliant
- We never store your credit card details
- All payment data is handled by Paddle's secure infrastructure
Directory Sync (Microsoft 365 / Google Workspace)
- Read-only access to user directories
- We never write to or modify your directory
- OAuth 2.0 authentication with minimal required scopes
- You can revoke access at any time
7. Compliance
GDPR Compliance
- Full compliance with EU General Data Protection Regulation
- Data Processing Agreements (DPA) available upon request
- Right to access, rectify, and delete your data
- Data portability supported
Our Hosting Provider
Hetzner Online GmbH, our hosting provider, maintains:
- ISO 27001 certification for information security management
- German data protection standards
- Physical security at data centers in Germany
Documentation
- Privacy Policy - How we collect and use data
- Terms of Service - Service agreement and responsibilities
- Data Processing Agreement - Available upon request for enterprise customers
8. Responsible Disclosure
We value the security research community and welcome responsible disclosure of potential vulnerabilities.
Reporting Security Issues
If you discover a security vulnerability, please report it to us responsibly:
- Email: info@gryffi.com
- Subject: "Security Vulnerability Report"
- Include: Detailed description, steps to reproduce, and potential impact
Our Commitment
- We will acknowledge receipt within 48 hours
- We will investigate and keep you informed of our progress
- We will not take legal action against researchers who follow responsible disclosure practices
- We will credit researchers who help improve our security (with permission)
Please Do Not
- Access or modify other users' data
- Perform denial of service attacks
- Send spam or phishing attempts
- Publicly disclose vulnerabilities before we've had a chance to fix them
9. Security Best Practices for Users
Help us keep your account secure by following these recommendations:
For Administrators
- Enable Two-Factor Authentication for all admin accounts
- Use strong, unique passwords
- Regularly review team member access and remove inactive users
- Use role-based access control—give users only the permissions they need
- Review the audit log for unusual activity
For All Users
- Never share your login credentials
- Log out when using shared devices
- Report suspicious emails claiming to be from Gryffi
- Keep your browser and operating system updated
10. Contact Us
If you have questions about our security practices or need additional information for your security assessment:
- General Security Questions: info@gryffi.com
- Data Processing Agreement Requests: info@gryffi.com
- Security Vulnerability Reports: info@gryffi.com
We're committed to maintaining the highest security standards and are happy to discuss our practices with prospective customers.