Security & Trust

The Short Version

If you're an IT lead, procurement officer, or principal evaluating [GRYD] for client engagements, here's what you need to know in 60 seconds.

Local-first by design

Lab results, screening output, and exceedance data live in your browser's IndexedDB and your Excel workbook. They don't move to our servers. Only public regulatory limits travel over the network.

Microsoft Entra External ID

Sign in with the same enterprise identity your team already uses. No separate password to manage, no shadow user directory, no on-prem AD federation required.

Defensible audit trail

Every screening run is stamped with the regulatory pack version, timestamp, and user. The audit trail lives in the workbook you already control — portable, archivable, regulator-ready.

Where Your Data Lives

An honest diagram of every place a piece of your data could be at rest or in transit.

YOUR ENVIRONMENT

Excel Workbook

Lab EDDs & raw analytical data
Site metadata, well locations
Screening results, exceedance tables
Audit-trail entries & run history

On your machine, encrypted at rest by your OS / OneDrive policies. Never copied to [GRYD] servers.

YOUR BROWSER

IndexedDB Cache

Session state for the add-in
Cached regulatory packs (for offline use)
User preferences & recent runs

Per-browser-profile, partitioned by origin. Clearable by the user at any time.

OUR CDN

Public Regulatory Limits

Alberta Tier 1 / Tier 2A guideline values
CCME criteria
Other provincial & US framework packs

Read-only, public information. Cached locally on first load so the app works offline.

MICROSOFT

Entra External ID

Sign-in & token issuance
Tenant & user identity
License entitlement check

Operated by Microsoft. We see who is signed in; we don't see what they're screening.

Authentication: Microsoft Entra External ID

[GRYD] doesn't run its own password store. We never see, hash, store, or transmit your password. Instead, we delegate authentication to Microsoft Entra External ID (formerly Azure AD B2C / External Identities).

That means:

Your team uses the same Microsoft identity they already use for Office 365
MFA, conditional access, and tenant-level policies your IT department already enforces apply transparently
No separate password to roll, rotate, or recover
Off-boarding a user from your Entra tenant immediately revokes their [GRYD] access
Tokens are short-lived and refreshed silently, following Microsoft's standard OAuth 2.0 / OIDC flows

1

You click Sign In

Inside Excel

↓

2

Microsoft Entra prompts you

Your normal corporate sign-in flow

↓

3

Entra returns a token to [GRYD]

We never see your password

↓

✓

You're in

Data stays local, you start screening

Audit Trail & Defensibility

The defensibility of an environmental closure depends on being able to answer, two years later, "what guideline values were active when this run was made, and against what dataset?" The [GRYD] audit trail is purpose-built for that question.

Every run gets a unique ID, timestamp, and signed-in user attribution
Regulatory pack version stamped on each run (e.g. AB Tier 2A v2026.04)
Pathway, background, and ND policy snapshot preserved per run
Audit-trail data is stored in the workbook itself — portable, archivable, regulator-deliverable
Side-by-side diff between runs to surface exactly what changed between draft and submission

Run #2026-05-12-c Current

AB Tier 2A v2026.04 · CCME v2024.09

User: a.vasquez@firm.com

Run #2026-04-18-a Archived

AB Tier 1 v2025.11

User: s.li@firm.com

Run #2026-02-03-b Archived

AB Tier 2A v2025.10

User: a.vasquez@firm.com

Procurement FAQ

The questions that come up in every IT, legal, and procurement review. Honest answers.

Where is our data stored?

In two places, both yours: the Excel workbook on your machine (governed by your OneDrive / SharePoint / local-disk policies), and the IndexedDB store in your browser profile. Nothing about a screening run is persisted to [GRYD] infrastructure.

What about data residency for Canadian clients?

If your workbook is stored in a Canadian region of OneDrive / SharePoint, your data is in Canada. The CDN that serves regulatory packs uses geographically distributed read-only edges, but it only serves public regulatory text — not your data.

Can [GRYD] employees see our lab results?

No. We don't have a database of customer screening results because we don't store them. The only thing we can see is anonymized usage telemetry (e.g. "Decay Tracker chart was opened today") that you can disable in settings.

What happens when we uninstall the add-in?

Your workbook keeps working. Any screening outputs, exceedance tables, and audit-trail entries that were written into the workbook stay in the workbook. There is no vendor lock-in — uninstalling [GRYD] doesn't blank your data.

How does the AI co-pilot fit into this?

The Ask GRYD agent can be configured per organization: on-device inference, your own private endpoint, or off entirely. By default, the agent only receives the screening results from the current workbook, not raw lab data — and never persists conversation history outside your session.

Do you support SSO and SCIM?

SSO via Microsoft Entra External ID is the default sign-in path for every customer. SCIM-based provisioning for team workspaces is on the near-term roadmap — talk to us if you need it before general availability.

What's your incident response process?

Because we don't hold customer screening data, the typical "data breach" surface is much smaller than a SaaS competitor's. For any auth, identity, or infrastructure incident, our policy is direct notification of affected tenants within 72 hours, plus a public post on the changelog and security page.

Can we get a security questionnaire / SIG response?

Yes. Email security@grydlogic.com with your standard questionnaire (CAIQ, SIG Lite, custom) and we'll return a completed response.