Trust

Security Disclosure

Last updated: 13 May 2026

TRACTIONGRC, INC. (“TractionGRC,” “we,” “our,” or “us”), a State of Washington corporation, is committed to protecting the confidentiality, integrity, and availability of information entrusted to us. This Security Disclosure describes the safeguards we use to protect information processed through the TractionGRC platform and outlines how users can help maintain a secure environment.

This disclosure is intended to complement our Privacy Policy and does not create contractual obligations or guarantees of absolute security.

1. Platform identity and secure communications

TractionGRC’s website and application are served over secure, encrypted connections that allow your browser or client to verify our identity before information is transmitted. We use industry-standard certificate-based authentication to help ensure that data is sent only to TractionGRC-controlled services and not to impersonators or unauthorized endpoints.

2. Positive identification

Our website and applications (collectively, the “Services”) are registered with site identification authorities to enable your browser to confirm our identity before any transmission is sent. With this technology, the identity of our Services is confirmed behind the scenes prior to the transmission of any personal information. Your data reaches its intended target, or your browser notifies you, prior to sending any personal information, that the potential receiving site looks suspicious and should be avoided. We rely on the security representations and certifications made by Microsoft Azure for the infrastructure underlying the Services.

3. Data encryption

We use encryption technologies designed to protect information both in transit and at rest:

  • In transit. Communications with the TractionGRC platform are encrypted using modern TLS standards.
  • At rest. Customer data stored within the TractionGRC platform is encrypted using strong encryption mechanisms supported by our cloud infrastructure provider.

Payment card information is handled directly by our payment processor and is not stored on TractionGRC systems, except for limited billing metadata.

4. Cloud infrastructure and hosting

TractionGRC is hosted on Microsoft Azure infrastructure in the United States. We rely on Azure’s physical, environmental, and infrastructure security controls, including data center access controls, redundancy, monitoring, and resilience measures, as part of our overall security program.

5. Access controls and operational security

We implement administrative and technical safeguards designed to limit access to systems and data to authorized personnel only, including:

  • Role-based access controls.
  • Multi-factor authentication for internal systems.
  • Logging and monitoring of system activity.
  • Segregation of environments and duties where appropriate.

Access to customer data is restricted to authorized personnel and is permitted only as necessary for support, security, legal compliance, or service operation.

6. Artificial intelligence and security

TractionGRC offers artificial intelligence (“AI”) assisted functionality through TractionAI. Security considerations specific to AI include:

  • TractionAI uses enterprise AI services under contractual terms that prohibit the use of Customer Data, as defined in our Privacy Policy, for model training or improvement.
  • Information processed through TractionAI is used only at the time a response is generated and is not incorporated into shared, public, or consumer AI systems.
  • AI request and response logs may be retained for limited periods for security monitoring, abuse prevention, and compliance purposes, and are accessible only to authorized personnel.

TractionGRC does not use public or consumer AI services for TractionAI functionality.

7. Shared responsibility and user safeguards

While we implement safeguards designed to protect the platform, security is a shared responsibility. Users should:

  • Protect account credentials and enable available security features.
  • Restrict access to their workspace based on job role.
  • Review activity within their organization for unauthorized use.
  • Promptly notify TractionGRC of suspected security issues.

8. Vulnerability reporting

Despite our safeguards, vulnerabilities may still arise. If you believe you have identified a security issue affecting TractionGRC, please report it responsibly by contacting security@tractiongrc.com.

Please include, where possible:

  • A description of the issue.
  • The affected service or feature.
  • Steps to reproduce, if known.
  • Your contact information.

9. Responsible disclosure guidelines

We ask that individuals reporting vulnerabilities follow these guidelines.

9.1 Please do

  • Notify TractionGRC privately before public disclosure.
  • Provide sufficient detail to allow investigation and remediation.
  • Allow reasonable time for remediation prior to disclosure.
  • Coordinate with us if disclosure is planned for a conference or publication.

9.2 Please do not

  • Exploit vulnerabilities to access or alter data.
  • Disrupt service availability (for example, denial-of-service testing).
  • Engage in social engineering or phishing of users or employees.
  • Demand compensation or engage in vulnerability marketplaces without prior agreement.

TractionGRC does not currently operate a paid bug bounty program unless expressly stated otherwise.

10. No absolute guarantee

No system can be guaranteed to be completely secure. While we take reasonable steps to protect information, you acknowledge that unauthorized access, system failures, or security incidents may still occur.

11. Questions

For questions about this Security Disclosure or TractionGRC’s security practices, please contact:

TractionGRC, Inc.
Email: security@tractiongrc.com

For general questions, sales, partnerships, or support, please use our Contact page.