Trust Center

Built to be examined.

BlackGrid asks regulated institutions to run AI agents on our platform — a request that deserves evidence, not assurances. This page is the evidence: an independent audit, third-party attack testing, and the controls program behind both. Every document is one request away.

security@blackgrid.ai

SOC 2 TYPE II

The short version

Eight facts before the paperwork.

Audited, end to end

SOC 2 Type II across all four operative Trust Services categories — Security, Confidentiality, Processing Integrity, and Availability.

Independently attacked

Third-party penetration testing of the application and APIs; every high- and medium-risk finding remediated and verified closed on retest.

Encrypted by default

TLS for data in transit, AES for data at rest, and lifecycle key management with logged key operations.

Least-privilege access

Named individual accounts, SSO and MFA wherever supported, justified privileged access, and quarterly access reviews.

Tested resilience

Nightly automated backups with restore testing, plus annual disaster-recovery exercises — tabletop and technical.

A real ISMS

47 board-approved policies aligned to ISO 27001 Annex A and mapped to SOC 2 criteria, with internal audits and management reviews.

Screened, trained people

Background checks in hiring, security awareness through a standing communication programme, and acceptable-use rules on every device.

Your data stays yours

Customer data is never used to train models, and deleted data is permanently removed within 30 days of account closure.

Independent verification

Don't take our word for it.

SOC 2 Type II

An independent service auditor's examination of the Black Grid system — not just whether controls are designed well, but whether they operated effectively over the observation period.

Auditor: Prescient Assurance LLC
Criteria: Security · Confidentiality · Processing Integrity · Availability

Restricted-use report; shared with customers and prospects under NDA.

Penetration testing

Independent web-application and API penetration testing by Cacilian, rated on the OWASP risk model — with remediation verified by retest, not self-attested.

Tester: Cacilian
Latest report: July 2025
Critical findings: 0
High & medium findings: All remediated — verified closed on retest (January 2025)

Remaining low-severity hardening items are tracked to closure. Full report under NDA.

How we operate

The controls behind the attestations.

Six domains, drawn directly from the policy set our auditors test against. The policies themselves are in the document library below.

Infrastructure & operations

Production runs on Microsoft Azure and Google Cloud — the SOC 2 report's named subservice organizations — with their physical and environmental controls reviewed as part of the program.
Cloud providers pass due diligence before sign-up, with contracts and service-level agreements required by policy.
Changes follow a documented change-management process; software installation is policy-controlled.
Internal and external vulnerability scans run on a defined cadence; high-severity results are remediated and re-scanned until resolved.
Logging and monitoring cover the activity of authorized and unauthorized users alike.

Data protection

Data is encrypted in transit (TLS) and at rest (AES), with a lifecycle approach to key management and audited key operations.
A four-part classification scheme governs how information is labelled, handled, stored, and disposed of — down to removable media and end-of-life hardware.
Customer data is retained while an account is active and permanently removed within 30 days of closure, except where law requires retention.
Customer data is never used to train models.
Privacy and personal-data protection obligations are codified in policy, including a documented breach-notification procedure covering regulators and affected individuals.

Access control

Least privilege is the default: access is denied unless explicitly granted, and every account belongs to a named individual — no shared or generic logins.
Single sign-on is used where systems support it; multi-factor authentication is required wherever it is available.
Privileged (administrator) access is separately justified, restricted, and reviewed.
Access is revoked promptly at termination, with heightened precautions for sensitive cases.
Compliance with the access-control policy is reviewed quarterly.

People security

Background checks — including criminal-record screening and reference verification — are part of the hiring process.
A standing information-security communication programme keeps security awareness current across the team.
Acceptable-use, electronic-messaging, and password policies set the rules on every system; a company-approved password manager is required.
Remote working and mobile devices are governed by policy, including procedures for lost or stolen devices.

Resilience & incident response

Customer data is automatically backed up every night, and backups are restore-tested.
The disaster-recovery plan is exercised annually — tabletop and technical — alongside a business-continuity testing schedule.
A documented incident-response procedure convenes the response team within 24 hours, with defined severity levels and post-incident review.
A personal-data breach notification procedure governs when and how regulators and affected individuals are informed.

Governance & suppliers

A designated Information Security Officer owns the ISMS; policies are approved at board level and reviewed on a defined cadence.
Internal audits, management reviews, and a nonconformity-management procedure keep the program honest between external audits.
Risk management follows a documented framework integrated with the control set.
Suppliers pass an information-security due-diligence assessment before engagement and are bound by contract.
A HIPAA Business Associate policy governs engagements that involve protected health information.

Document library

The paperwork, on request.

Reports and the full board-approved policy set. Nothing here is a public download — we review every request and share documents under NDA, typically within two business days.

REPORTS & ATTESTATIONS

Validated — SOC 2 Type II report

Validated — Penetration test report

GOVERNANCE & RISK

Validated — Information Security Policy

Validated — Risk Management Framework

Validated — Information Security Communication Programme

Validated — Procedure for the Control of Documented Information

Validated — Process for Monitoring, Measurement, Analysis and Evaluation

Validated — Internal Audit Overview and Approach

Validated — Procedure for Management Reviews

Validated — Procedure for the Management of Nonconformity

Validated — Legal, Regulatory and Contractual Requirements Procedure

PEOPLE

Validated — HR Security Policy

Validated — Employee Screening Procedure

Validated — Acceptable Use Policy

Validated — Remote Working and Mobile Device Policy

Validated — Password Policy

Validated — Electronic Messaging Policy

DATA PROTECTION

Validated — Data Classification Policy

Validated — Information Classification Procedure

Validated — Information Labelling Procedure

Validated — Asset Handling Procedure

Validated — Asset Management Policy

Validated — Procedure for the Management of Removable Media

Validated — Procedure for Managing Lost or Stolen Devices

Validated — Procedure for the Disposal of Media

Validated — Records Retention and Protection Policy

Validated — Data Deletion Policy

Validated — Privacy and Personal Data Protection Policy

Validated — Cryptographic Policy

ACCESS CONTROL

Validated — Access Control Policy

INFRASTRUCTURE & OPERATIONS

Validated — Cloud Computing Policy

Validated — Physical Security Policy

Validated — Change Management Process

Validated — Backup Policy

Validated — Logging and Monitoring Policy

Validated — Software Policy

Validated — Technical Vulnerability Management Policy

SECURE DEVELOPMENT

Validated — Secure Development Policy

SUPPLIERS

Validated — Information Security Policy for Supplier Relationships

Validated — Supplier Due Diligence Assessment Procedure

Validated — Supplier Information Security Evaluation Process

Validated — Business Associate Policy (HIPAA)

RESILIENCE & INCIDENTS

Validated — Information Security Incident Response Procedure

Validated — Personal Data Breach Notification Procedure

Validated — Physical Incident Response Policy

Validated — Business Continuity Incident Response Procedure

Validated — Business Continuity Exercising and Testing Schedule

Validated — Disaster Recovery Plan

Validated — Responsible Disclosure Policy

Subprocessors

Who we rely on.

Subprocessors and service providers with their purpose
Provider	Purpose	Relationship
Microsoft Azure	Cloud hosting, compute, and managed databases for the platform	Production subservice organization (per SOC 2 report)
Google Cloud Platform	Cloud hosting and backup services for the platform	Production subservice organization (per SOC 2 report)
Vercel	Hosting for the marketing website (no customer platform data)	Business operations
Google Workspace	Corporate email and document collaboration	Business operations
HubSpot	CRM and website forms	Business operations
Google Analytics	Website analytics (consent-gated)	Business operations

Current as of June 2026. We notify customers of material subprocessor changes per contract.

Responsible disclosure

Found something? Tell us.

We work openly with good-faith security researchers and commit to not pursuing legal action for research conducted under our disclosure policy.

Report vulnerabilities to security@blackgrid.ai — proof-of-concept detail helps us triage.
We respond within two business days, share a remediation timeline after triage, and keep an open dialog.
Coordinated disclosure: we agree timelines together before anything is published, and credit researchers after the fix.

The full Responsible Disclosure Policy is available in the document library above.

Frequently asked questions

How do I get the SOC 2 report or penetration test report?

Use the request form on this page (or email security@blackgrid.ai). Both are restricted-use documents, so we review each request and share them under NDA — typically within two business days.

What does your SOC 2 Type II cover?

The examination covers the Security, Confidentiality, Processing Integrity, and Availability Trust Services categories. It is a Type II report, meaning the auditor tested that controls operated effectively over an observation period — not just that they were designed sensibly on paper.

Where does the platform run?

Production runs on Microsoft Azure and Google Cloud, which are documented as subservice organizations in the SOC 2 report. Deployment specifics for your environment are covered during diligence.

Is customer data used to train AI models?

No. Customer data is not used to train models. Access inside the platform is permissioned at the field level, and every agent action is logged — that audit trail is the product.

What happens to our data if we leave?

Customer data is retained while the account is active. After closure, data enters a 30-day expired state and is then permanently removed, except where law requires retention. You can export your data before closing the account.

How often do you test your own security?

Continuously through vulnerability scanning (high-severity findings are remediated and re-scanned until resolved), and through independent penetration testing with retest verification of every high- and medium-risk finding. The disaster-recovery plan is exercised annually.

Will you complete our security questionnaire?

Yes. Submit it through the request form or email security@blackgrid.ai and we'll return it — the document library on this page usually answers the bulk of it.

Do you sign HIPAA Business Associate Agreements?

We maintain a HIPAA Business Associate policy, and where an engagement involves protected health information we will work through BAA requirements with your team.

Diligence moves faster with documents in hand.

Request what you need — or send us your questionnaire.

PREFER EMAIL? SECURITY@BLACKGRID.AI