Security at BaristaGrid

• Hosted on hardened, SOC 2 Type II audited cloud infrastructure with isolated production environments.
• All traffic is encrypted in transit using TLS 1.2+ with modern cipher suites and HSTS preload enabled.
• Customer data is encrypted at rest using AES-256, and database backups are encrypted and replicated across availability zones.
• Secrets are managed through a centralized vault with strict IAM policies and full audit logging.

• Single sign-on via Google and SAML providers (available on Business and Enterprise plans).
• Role-based access control inside every workspace, with a documented least-privilege model.
• Mandatory two-factor authentication for all BaristaGrid employees and contractors with production access.
• Background checks and confidentiality agreements for everyone who handles customer data.

Our engineering team follows secure development lifecycle practices — including threat modeling, dependency scanning, static analysis, and mandatory code review. We engage independent security firms to perform penetration tests at least annually and after significant architectural changes.

A 24/7 monitoring stack watches the platform for performance anomalies and suspicious activity. We maintain a published incident response plan, run tabletop exercises quarterly, and commit to notifying impacted customers without undue delay in the event of a confirmed security incident.

• GDPR-aligned data processing terms, available on request.
• CCPA / CPRA compliant — including verifiable consumer rights workflows.
• Annual SOC 2 Type II reports available to customers under NDA.
• Sub-processor list is reviewed quarterly and published for transparency.

We welcome reports from the security community. If you believe you've found a vulnerability, please email security@baristagrid.com with a clear description and reproduction steps. We acknowledge all reports within two business days and treat researchers acting in good faith as partners.