Security at Grappler

We understand that the protection and security of our customer data is our most important responsibility.  

Product Security


  • Our Cloud-based platform is engineered for redundancy and availability.
  • Our platform uses techniques to auto-scale when demand is high.


  • User accounts and passwords are securely managed and all Passwords are hashed using a hashing function. Individual users can only reset their own password via a time restricted password reset link.
  • All Grappler staff are required to use a password vault manager. Staff are required to use 2-Factor authentication where available.

Network and application security

Data Hosting

  • Grappler does not host any servers, we are a cloud native service. We outsource this task to Google Cloud Platform (GCP). GCP security information can be found at,
  • We use GCP resources located in the GCP region agreed by our customers to meet their specific geographical security and compliance requirements.
  • The GCP resource are single tenanted, single instance of Grappler, for each client, and have strict controls to prevent one tenant from accessing another tenants data.
  • All of our GCP resource are within our own virtual private cloud with network access controls.


  • Database backup frequency is agreed with our clients to align with agreed service levels.

Data Storage

  • We use GCP Cloud Storage. Data at rest is encrypted.

Encryption & Sessions

  • Client Grappler instances are only accessed via HTTPS and the entire HTTPS web application framework is protected with SSL certification.
  • All network traffic is encrypted both inside and outside our network.

Additional security measures

ISO certification

  • Grappler is certified as compliant to ISO/ IEC27001:2013. You can download our certificate here. ISO 27001 is the only auditable international standard that describes best practices for an ISMS (information security management system). ISO27001 certification provides independent proof that our ISMS practices and procedures are safe and relevant.
  • Achieving accredited certification to ISO 27001 demonstrates that Grappler is following information security best practices and provides an independent, expert verification that information security is managed in line with international best practices and business objectives.

Segregation of duties

  • Grappler staff do not have access to your data. The exception to this is when our Customer Support team or Engineers need to debug issues or configure your account. Grappler Support staff actions may include managing remittance exceptions, monitoring unreconciled receipts, and reviewing/ completing any potential manual bank/ policy reconciliations required. As a Managed SaaS solution Grappler will administer all the rights, roles and user management on your behalf. In such circumstances, we will only access your data with your express permission.


  • All employees complete Security and Awareness training.
  • Grappler has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Best practices

  • Our internal Data Protection Policy states that customer data is never to be stored on local machines.
  • Production and Staging logins are separated between Support and Engineering Teams, meaning Engineers are not able to access Production Data without making a specific request.

Audit always on

  • Grappler provides comprehensive audit features across both automated ‘Grappler actions’ and also user driven actions and updates. Self serve and scheduled reporting of user rights and access is available for the client to ensure full transparency and management of who has access to what functions and rights.

Reach out to learn more about how we can add value to your business

We would be happy to arrange a time for a demonstration of our solution and learn a little more about your requirements.
Request a Demo