Security Matters.
Granting access to data in your critical business systems takes trust. At Gradient, we recognize what that access means and take our responsibility to protect it seriously. We are committed to securing access to and data within our platform, minimizing the access permissions we request, and continuous security improvement.
Certified SOC 2 Type 2 Compliant
Customer data is protected using rigorous and closely monitored internal practices. Gradient MSP is certified as SOC 2 Type 2 compliant under the AICPA Service Organization Control framework, targeting the trust services criteria of Security, Privacy, and Confidentiality. Our security policies and standards, and SOC 2 Type 2 compliance status are verified annually through external third-party audits.
Identity and Access Management Standards
Unique system accounts are required to access any of Gradient's supporting infrastructure. User accounts are unique and identifiable to an individual user. Access to privileged accounts on the databases and servers supporting the application is restricted to authorized personnel based on job responsibilities and must be from a trusted location.
Gradient MSP Inc. enforces access to the supporting infrastructure through a combination of password and multi-factor authentication mechanisms to production environments. Password standards have been established that are enforced globally for all internal users and external users.
Gradient Platform Access and Authentication
The Gradient MSP platform is accessible via encrypted HTTPS sessions to ensure confidentiality and integrity of sessions. Gradient's products' authentication is managed through Microsoft SSO or Google SSO utilizing their underlying MFA policies. Authentication is also available by using a secure expiring one-time access link via email (Magic Link).
Regulatory Compliance
Gradient MSP undergoes third-party audits against the AICPA Trust Services Criteria, and our SOC 2 report is available for partners to review upon request. While we are audited against the Trust Services Criteria, we consider regulatory compliance to be a component of our Information Security Program and not the entirety of it.
Vulnerability Disclosure
If there's a vulnerability in our application, we want to know about it!. At Gradient, we're not interested in sweeping vulnerabilities under the rug - we are interested in fixing them and we are grateful for security researchers who notify us of their findings. See the full information about reporting vulnerabilities to us here.
Penetration testing
Gradient MSP performs annual 3rd party penetration testing. Cobalt Labs conducts a gray box penetration test of the Gradient Web + API application to assess the risk posture and identify security issues that could negatively affect Gradient MSP's data, systems, or reputation.
These tests manually assess the security of the application's functionality, business logic, and vulnerabilities. The assessment also includes a review of security controls and requirements listed in the OWASP Application Security Verification Standard (ASVS).
Hosting Infrastructure
Gradient MSP's platform is maintained on the Amazon Web Services (AWS) Cloud platform. We rely on the appropriate physical and logical security controls at the corresponding AWS facility to protect equipment and information from unauthorized access. Confidential data transmitted through the Gradient is secured and protected using various access control and encryption technologies. The AWS cloud infrastructure hosting Gradient's system architecture has been certified to meet the third-party attestations and certifications of SOC 2, ISO 27001, GDPR, HIPAA, and FIPS 140-2.