Security Overview

The Enterprise Platform.

SOC 2 Type II audited. Zero-data-retention (ZDR) AI. Encryption, SSO, and audit logging by default.

This page is for the IT, security, legal, and procurement teams.

Live posture
SOC 2 Type II Verified
Encryption & isolation Verified
SSO / SAML & RBAC Verified
Audit log Verified
Comprehensive REST API Verified
No training on your data Inference only
SOC 2 Type II posture
ZDR Zero data retention
SSO SAML · SCIM · RBAC
100+ Languages supported
AI governance

Your data trains nothing. AI that runs under your control.

Inference only — never training

Your documents and figures are used only to produce your result. They never enter a training set — not ours, not a model provider's.

Zero data retention (ZDR)

ZDR means exactly that: prompts, source evidence, and outputs aren't kept after the response is returned. Nothing lingers to "improve the model."

Partitioned & isolated

Each prompt contains data from a single tenant. Cross-tenant aggregation is excluded, and environment separation enforces isolation.

Same permissions, nothing more

AI actions run under your identity and permission model. Service accounts are scoped, least-privilege keys are rotated, and the agent never sees more than you do.

Auditable end to end

We log request provenance, inputs supplied, and materialized outputs. Every action is traceable and exportable for security review.

Cited, and human-approved

Agents show their sources before a recommendation is accepted, and a person approves before any source record changes.

Architecture

Isolated and encrypted by default.

Private by design

Your data is isolated per organization, never commingled, and governed by tenant-scoped access controls from day one.

Encrypted in transit & at rest

TLS for data in transit and AES-256 at rest, with managed key rotation. Encryption is on by default, not a configuration step.

Governed access

SSO/SAML, SCIM provisioning, RBAC, granular permissions, and org-chart-based data scoping — backed by an immutable audit log.

Secure cloud environment

Gravity runs in a secure cloud environment using software-defined networking. It is fronted by a DDoS-protective firewall, load balancer, and CDN, plus intrusion detection and other security technology that locks down the perimeter.

Access controls

Control exactly who can do what.

Gravity supports SSO/SAML, MFA, SCIM, RBAC, granular permissions, and an audit log so you know who did what.

Role-Based Access Control (RBAC)

Assign roles that map to predefined permission sets. Admins, analysts, approvers, and viewers each get exactly the capabilities their job requires — nothing more.

Granular permissions

Control access at the action level: who can view, edit, approve, or export, scoped to specific modules, workflows, and reporting boundaries.

Org-chart data scoping

Limit data visibility through your organizational hierarchy. Users see only the sites, entities, and emissions data their position in the org chart grants them.

Audit log integration

Every login, data change, approval, and export is logged and available for your security review.

Enterprise IT

Built for the way enterprise IT buys and integrates.

API-first and self-serve

Every action in the Gravity UI has a matching API endpoint. You cannot bolt on being API-first. We ship a full OpenAPI spec and let your team spin up its own keys, so Gravity fits your data pipeline instead of fighting it.

Real enterprise integration experience

A team that has sold into and integrated with enterprise IT for years. We speak SSO, audit logging, and change management — and we have been through the reviews before.

Documented policies & procedures

Formal, version-controlled policies — incident response, access reviews, vendor management, change control — written down and ready for your audit, not assembled on request.

Documentation

Everything lives in the Trust Center.

Compliance Available

SOC 2 Type II report

Full audited report covering security, availability, and confidentiality. Grant access in the Trust Center.

Open in Trust Center →
Security Available

Penetration test summary

Latest third-party pen-test letter, scope, and remediation status for your security review.

Open in Trust Center →
Architecture Available

Data-flow & hosting overview

Where data lives, how it moves, encryption in transit and at rest, and isolation model.

Open in Trust Center →
Legal Available

Sub-processors

Current sub-processor list and GDPR-aligned terms available on request.

Open in Trust Center →
Security Available

Information security policies and procedures

Formal, version-controlled policies covering incident response, access reviews, vendor management, change control, cryptography, and more.

Open in Trust Center →
Legal Available

Terms of Service

The agreement governing use of the Gravity platform and services.

Read Terms of Service →
Procurement Submit

Security questionnaire

Submit your security questionnaire and our team will respond same day or next day.

Support Ask

Have a security question?

Ask us anything about our security posture. Our team typically responds same day or next day.

Change management

Your team gets productive without a services engagement.

Most platforms require weeks of consultant-led training before teams can operate independently. Gravity ships with built-in guidance and structured learning paths — so adoption happens alongside the work, not before it.

6–8 wks Typical onboarding path
0 Required consulting hours

In-app guidance

Contextual banners on every key page explain the workflow, suggest next steps, and link to deeper resources.

Knowledge Base

Self-serve modules, walkthroughs, and comprehension checks organized by workflow — searchable and always current.

How buying works

A buying process that respects everyone's time.

New to enterprise procurement? That's normal for sustainability teams. We bring procurement and IT in early and keep the heavy lifting self-serve — so you're coordinating, not chasing.

Step 01

Start with a call

Evaluate fit with our team before any review begins. Bring procurement and IT to this one — earlier is easier for everyone.

Step 02

IT pulls the docs

Send your IT and security leads to the Trust Center. SOC 2, pen-test, and the questionnaire are waiting — no gate, no chasing.

Step 03

Pilot on real data

Stand up a scoped environment with SSO and RBAC, and load a real reporting boundary while review runs in parallel.

Step 04

Roll out

Provision teams, wire up integrations through your iPaaS, and turn on audit exports for security operations.

FAQs

The questions behind the questions.

We often hear these questions during procurement, so we're putting them here.