Security & Trust
Greymill is an AI-powered platform used by businesses to handle sensitive operational, legal, financial and HR conversations. We treat the protection of your data as a foundational obligation, not a compliance exercise. This page describes the technical, organisational, and contractual measures we apply to protect customer information, the third-party services we rely on, and how to reach our security team.
1. Our security philosophy
We build on managed, audited infrastructure rather than reinventing it. We use industry-standard cryptography and a small, deliberately curated set of service providers. We default to least privilege, encryption everywhere, and short retention windows. We document our processes so that controls survive personnel changes. Where we are still maturing toward a formal certification, we say so plainly rather than imply otherwise.
2. Infrastructure and hosting
The Greymill application runs on a leading serverless cloud platform with a primary database hosted in the European Union (Frankfurt region). All customer data at rest is held within EU jurisdictions. Our underlying compute and storage providers operate facilities certified to ISO/IEC 27001, SOC 2 Type II, ISO/IEC 27017 (cloud security) and ISO/IEC 27018 (PII in public clouds). We do not operate our own physical infrastructure; we rely on the security investment of these providers and inherit the controls audited under their certifications.
3. Encryption
- In transit: All connections between your browser, the Greymill application, and our service providers are protected by TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced on greymill.ai with a two-year max-age and preload submission. We do not accept unencrypted connections.
- At rest: Database storage is encrypted with AES-256 by our database provider. Backup volumes are encrypted with the same standard. Object storage and edge cache layers are encrypted by the underlying platform.
- Passwords: Customer passwords are never stored. We persist only a salted bcrypt hash with a per-account salt. Plain-text passwords are not logged, cached, or transmitted to any service provider.
- Secrets: Application secrets (database keys, API keys, signing keys) are held only in our cloud platform's encrypted environment-variable store and are never committed to source control.
4. Authentication and access control
Customer authentication uses email and password with a short-lived session token bound to the device on which it was issued. Failed login attempts are rate-limited per email address and per source IP address; sustained failures trigger a temporary lockout. We surface email-verification, account-recovery and session-termination flows in-product so customers stay in control of their access.
Internally, access to production systems is restricted to a small number of named operators. Engineering access requires multi-factor authentication on every source identity provider (code repository, hosting platform, database) and is logged. Access is reviewed at least quarterly and revoked the same business day for any change in role.
5. Application security
- Input validation and CSP: A strict Content Security Policy is enforced at the edge. Inline scripts are limited to first-party origins and our analytics provider. Frame embedding is denied (X-Frame-Options: DENY); the site is also protected from MIME sniffing and is referrer-policy hardened.
- Dependency hygiene: We track upstream security advisories on our runtime and library dependencies and apply patches within fourteen days of public disclosure for issues rated High or Critical.
- Code review: All production code is committed via reviewed pull requests on a private repository protected by branch rules and required two-factor authentication on contributor accounts.
- CORS: API endpoints accept requests only from the production Greymill origin. Cross-origin requests from arbitrary domains are rejected.
6. Data residency and international transfers
Customer account data is stored in the European Union. Where personal data is transferred to a service provider located in the United States or another third country (notably for AI inference, hosting and edge delivery, or transactional email), we rely on the European Commission's Standard Contractual Clauses or the equivalent UK International Data Transfer Agreement, supplemented by encryption in transit and at rest. We do not transfer customer data to any jurisdiction not covered by an adequacy decision or appropriate safeguards.
7. Logging, monitoring and incident response
Application and infrastructure logs are retained for a rolling 30-day period for the purpose of operational diagnostics and security investigations. Logs are scoped to metadata; conversation contents are not written to general-purpose logs. We monitor authentication anomalies (unusual login locations, repeated failures, unexpected privilege use) and database error rates.
If we detect or are notified of a security incident affecting customer personal data, we will: contain and triage the incident within commercially reasonable timeframes, notify the UK Information Commissioner's Office within 72 hours where required, and notify affected customers without undue delay where the incident is likely to result in a high risk to their rights and freedoms. Customers can request a written incident summary at any time during a live investigation.
8. Backups and continuity
Our database is continuously replicated and snapshotted by our database provider with point-in-time recovery available across the retention window. Application code and configuration are reproducible from version-controlled sources. We do not maintain customer-side backups on local hardware; recovery is performed entirely from managed cloud sources.
9. Customer responsibilities
Greymill secures the platform; customers secure their accounts. We strongly encourage every account holder to: use a unique, long passphrase; promptly act on any verification or security email; never share credentials between users (each member of your business should have their own login when this becomes available); and report any suspected unauthorised access immediately to support@greymill.ai.
10. Compliance posture
Greymill is registered with the UK Information Commissioner's Office and operates under the UK and EU General Data Protection Regulations. We are working toward a SOC 2 Type II attestation as our customer base grows; we will publish the attestation here once issued. We do not currently store or process payment card data ourselves, and the platform does not handle protected health information (PHI) or other special categories of data on a routine basis. Customers in regulated industries should consult our Privacy Policy and contact us before using Greymill for any workflow involving regulated data.
11. Reporting a security issue
We take security reports seriously and respond to credible disclosures from the security research community. To report a vulnerability, suspected breach, or other security concern, email support@greymill.ai with the subject line beginning "Security:". Please include a clear technical description and any proof-of-concept material. We commit to acknowledging credible reports within two business days and working with researchers in good faith. We do not pursue legal action against researchers acting in accordance with these guidelines.
12. Updates to this page
We update this page when our infrastructure, service providers, or security practices change. Material changes are reflected in the "Last updated" date above. Active customers will be notified by email at least 30 days before any change to our service providers that materially affects how personal data is processed.
Greymill Limited · Registered in England and Wales · Company number 17144930 · 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ