Inference only — never training
Your documents and figures are used only to produce your result. They never enter a training set — not ours, not a model provider's.
SOC 2 Type II audited. Zero-data-retention (ZDR) AI. Encryption, SSO, and audit logging by default.
This page is for the IT, security, legal, and procurement teams.
Your documents and figures are used only to produce your result. They never enter a training set — not ours, not a model provider's.
ZDR means exactly that: prompts, source evidence, and outputs aren't kept after the response is returned. Nothing lingers to "improve the model."
Each prompt contains data from a single tenant. Cross-tenant aggregation is excluded, and environment separation enforces isolation.
AI actions run under your identity and permission model. Service accounts are scoped, least-privilege keys are rotated, and the agent never sees more than you do.
We log request provenance, inputs supplied, and materialized outputs. Every action is traceable and exportable for security review.
Agents show their sources before a recommendation is accepted, and a person approves before any source record changes.
Your data is isolated per organization, never commingled, and governed by tenant-scoped access controls from day one.
TLS for data in transit and AES-256 at rest, with managed key rotation. Encryption is on by default, not a configuration step.
SSO/SAML, SCIM provisioning, RBAC, granular permissions, and org-chart-based data scoping — backed by an immutable audit log.
Gravity runs in a secure cloud environment using software-defined networking. It is fronted by a DDoS-protective firewall, load balancer, and CDN, plus intrusion detection and other security technology that locks down the perimeter.
Gravity supports SSO/SAML, MFA, SCIM, RBAC, granular permissions, and an audit log so you know who did what.
Assign roles that map to predefined permission sets. Admins, analysts, approvers, and viewers each get exactly the capabilities their job requires — nothing more.
Control access at the action level: who can view, edit, approve, or export, scoped to specific modules, workflows, and reporting boundaries.
Limit data visibility through your organizational hierarchy. Users see only the sites, entities, and emissions data their position in the org chart grants them.
Every login, data change, approval, and export is logged and available for your security review.
Every action in the Gravity UI has a matching API endpoint. You cannot bolt on being API-first. We ship a full OpenAPI spec and let your team spin up its own keys, so Gravity fits your data pipeline instead of fighting it.
A team that has sold into and integrated with enterprise IT for years. We speak SSO, audit logging, and change management — and we have been through the reviews before.
Formal, version-controlled policies — incident response, access reviews, vendor management, change control — written down and ready for your audit, not assembled on request.
Full audited report covering security, availability, and confidentiality. Grant access in the Trust Center.
Open in Trust Center →Latest third-party pen-test letter, scope, and remediation status for your security review.
Open in Trust Center →Where data lives, how it moves, encryption in transit and at rest, and isolation model.
Open in Trust Center →Current sub-processor list and GDPR-aligned terms available on request.
Open in Trust Center →Formal, version-controlled policies covering incident response, access reviews, vendor management, change control, cryptography, and more.
Open in Trust Center →The agreement governing use of the Gravity platform and services.
Read Terms of Service →How we collect, use, and protect your personal data.
Read Privacy Policy →Submit your security questionnaire and our team will respond same day or next day.
Ask us anything about our security posture. Our team typically responds same day or next day.
Most platforms require weeks of consultant-led training before teams can operate independently. Gravity ships with built-in guidance and structured learning paths — so adoption happens alongside the work, not before it.
Contextual banners on every key page explain the workflow, suggest next steps, and link to deeper resources.
Self-serve modules, walkthroughs, and comprehension checks organized by workflow — searchable and always current.
New to enterprise procurement? That's normal for sustainability teams. We bring procurement and IT in early and keep the heavy lifting self-serve — so you're coordinating, not chasing.
Evaluate fit with our team before any review begins. Bring procurement and IT to this one — earlier is easier for everyone.
Send your IT and security leads to the Trust Center. SOC 2, pen-test, and the questionnaire are waiting — no gate, no chasing.
Stand up a scoped environment with SSO and RBAC, and load a real reporting boundary while review runs in parallel.
Provision teams, wire up integrations through your iPaaS, and turn on audit exports for security operations.
We often hear these questions during procurement, so we're putting them here.