Security at Griddy

How we protect your data — from encryption and access controls to retention controls and privacy safeguards.

TLS 1.2+ at the edge. Datastores encrypted at rest in AWS-managed services.

We do not use customer content to train models without explicit opt-in.

Standard mode: interaction content up to 30 days and metadata up to 90 days. Privacy mode: metadata-only logs.

Strong password rules and optional 2FA for accounts.

Error monitoring is configured to limit sensitive data collection.

Hosted on AWS. Payments are processed by Stripe — we never store card numbers.

Privacy & data rights

Category	Details
What we store	Account data, billing identifiers, saved web-app spreadsheets, interaction logs (in Standard mode), and operational usage metadata
What we don't store	Payment card numbers (handled by Stripe) or long-term AI response content
Interaction content retention	Standard mode: up to 30 days for prompts, tool inputs/outputs, and model responses; then deleted.
Operational metadata retention	Up to 90 days for timestamps, tool names, status, latency, token/cost usage, and error codes; then deleted or anonymized.
Account data retention	Deleted on request, with limited records retained for abuse prevention
Payment records	Payments are processed by Stripe; we retain billing metadata as required for accounting
Sub-processors	Full list with purposes and locations available in our Privacy Policy

How we collect, use, and protect your data

Service terms, AI disclaimers, and acceptable use

Standard DPA available for Teams customers

We're happy to walk through our security practices, fill out your security questionnaire, or discuss a custom DPA for your organization.