Security at Griddy
How we protect your data — from encryption and access controls to automated data purging and privacy safeguards.
Encryption in transit & at rest
TLS 1.2+ at the edge. Datastores encrypted at rest in AWS-managed services.
No AI model training
We never use customer data to train models.
30-day data retention
Prompt logs are purged after 30 days. We do not store full spreadsheet files.
Secure authentication
Strong password rules and optional 2FA for accounts.
PII filtering in logs
Error monitoring is configured to limit sensitive data collection.
Infrastructure & payments
Hosted on AWS. Payments are processed by Stripe — we never store card numbers.
Privacy & data rights
Privacy commitments
- ✓Consent-based analytics with opt-in/opt-out controls
- ✓We do not sell or share personal information for advertising
- ✓Sub-processor list published in our Privacy Policy
- ✓Data Processing Addendum (DPA) available for Teams
- ✓We notify users of material privacy policy changes
Data rights support
- ✓Access, correction, and deletion requests via support
- ✓Account deletion on request
- ✓Breach notifications in line with applicable law
Data handling
| Category | Details |
|---|---|
| What we store | Account data, billing identifiers, prompt text, and usage metadata |
| What we don't store | Full spreadsheet files, payment card numbers (handled by Stripe), or long-term AI response content |
| Prompt log retention | 30 days — then deleted or anonymized. Aggregate usage counts are retained. |
| Account data retention | Deleted on request, with limited records retained for abuse prevention |
| Payment records | Payments are processed by Stripe; we retain billing metadata as required for accounting |
| Sub-processors | Full list with purposes and locations available in our Privacy Policy |
Legal documents
Need a security review?
We're happy to walk through our security practices, fill out your security questionnaire, or discuss a custom DPA for your organization.
Contact Security