Granicus Security

The Granicus Security page was last updated on: November 6, 2024.

Overview

At Granicus, we partner with thousands of government agencies to reach millions of citizens with important communications, legislative meeting agendas, minutes and videos, vital personal records, and websites. We therefore make the security of your data a top priority. We use robust technical, physical, and organizational safeguards to protect your personal information from unauthorized access, use, or disclosure.

Encryption

We use encryption when transmitting and storing sensitive personal data. This includes technologies like SSL/TLS encryption for data in transit and encryption for data at rest in our databases.

Access Controls

Our systems are protected by secure access controls where only authorized personnel may access personal data. Controls include multi-factor authentication, password policies, blockchain-based access permissions, and more.

Data Minimization

We only collect the minimum amount of personal data needed to fulfill our purposes. Unnecessary data is securely disposed of or anonymized where possible.

Vulnerability Scanning

Our development team regularly scans applications for vulnerabilities. We address any critical or high-risk vulnerabilities before systems are put into production.

Security Monitoring

We monitor our systems 24/7 for security threats, anomalies, and incidents. Our team is promptly notified of alerts to respond and mitigate any issues.

Bug Bounty

We maintain a bug bounty program inviting white hat hackers to responsibly disclose vulnerabilities. Bounties incentivize security research while allowing us to remediate issues.

Incident Response

In the event of a breach, our dedicated incident response team follows established procedures for containing, investigating, and remediating the situation. We notify any users or applicable regulators in compliance with breach notification laws.

Audits

Reputable third-party auditors assess our security posture annually. We address any findings that result from these audits and leverage their expertise to guide security improvements.

Employee Training

Employees complete mandatory security awareness training when onboarded and annually thereafter. Training covers data protection and relevant secure practices for their role.

Asset Management

We maintain an inventory of all data assets holding personal information. Our asset management enables tracking and protection of sensitive data throughout its lifecycle.

Our compliance certifications

Stay on top of evolving regulatory expectations worldwide with our growing list of compliance certifications. Our cloud products regularly undergo independent verification of their security, privacy, and compliance controls to ensure they meet global standards.
Federal Organizations Logos
We also serve some of the most secure agencies, such as the Department of Homeland Security, Department of Defense, and Veterans Affairs, as well as cities, counties, and states who prioritize the security of citizen and government data as priority #1. In our commitment to stay at the forefront of security, we have successfully completed Certification and Accreditation reviews by leading Federal government organizations including:
Federal Organizations Logos

We implement security practices compliant with leading information security standards. Our products GovDelivery, GovService and EngagemntHQ are ISO 27001 certified, and in the United Kingdom the public and third sectors can procure our products and services through the Crown Commercial Service, GCloud 14, an online catalogue available for: central government, charities, education, health, local authority, blue light (police, fire, ambulance, search and rescue), devolved administrations, and British overseas territories where they buy cloud-based computing services such as hosting, software and cloud support.

Top-tier Data Protection & Performance

Our data centers adhere to top certification requirements and assure that your data and citizen data is safe and kept private.

  • Encryption: At rest encryption of all data, always
  • Security Scanning: Weekly automated scanning at the application, host, and network level by a dedicated team of security experts
  • Physical Security: Facility protected by five concentric security rings and constant monitoring of common and restricted areas
  • Archiving: High performant Cache and SSD storage for archiving of video and other large files
  • Virtualized Servers: Facilitates minimal downtime for application improvements and superior failover protection

Our Communications Suite tools, including our FedRAMP authorized Communications Cloud marketing platform are protected at our top-tier data centers.

The First FedRAMP Compliant Digital Communications Solutions

Unlike private sector marketing technology, the govDelivery Communications Cloud is the first and only platform secure enough to be used exclusively by the government and has proven to double audiences within the first year. This saves time and staff hired to conduct redundant agency security assessments. Our highly secure environment has withstood comprehensive and rigorous review at the Joint Authorization Level, approved by CIOs from the General Services Administration, the Department of Defense and the Department of Homeland Security.

Why FedRAMP Matters

The Federal Risk and Authorization Management Program (FedRAMP) is the first government-wide security authorization program mandatory for all agencies and all cloud services. Agencies must implement FedRAMP and require it with all vendors they work with contractually.

Sign in with MAX Authentication

Granicus has an integration with MAX.gov’s MAX Authentication service, enabling organizations to utilize multi-factor authentication to ensure appropriate levels of security for administrators. Using SMS messages’ PIV, or common access cards, federal Granicus administrators are able to further secure access to the govDelivery Communications Cloud using multiple authentication points.

Our cloud infrastructure relies on Azure and AWS to provide enterprise-grade security and privacy that customers can confidently trust.

Azure and AWS offer robust physical and operational security controls that safeguard customer data. This includes state-of-the-art data centers, continuous security monitoring, and advanced access controls.

Why do we use AWS?

  • To ensure and leverage scalability, availability, and security of our systems;
  • To leverage a wide range of security features, including encryption, identity and access management and monitoring tools to safeguard your data; and
  • AWS data centres are highly secure, with strict access controls, surveillance, and environmental safeguards.

Why do we use Azure?

  • Microsoft Azure offers a comprehensive suite of cloud services and strong compliance capabilities;
  • We rely on Azure to enhance our cloud infrastructure’s performance and resilience; and
  • Azure implements advanced security controls, including threat detection, multi-factor authentication and security centre services to protect your data.

Continuous Monitoring and Improvement

We continuously monitor the security and performance of our cloud infrastructure hosted on AWS and Azure. Our dedicated security teams work diligently to identify and mitigate potential threats and vulnerabilities.

EngagementHQ Data & Security

Data

All of the data created on the EngagementHQ platform belongs to you and your community, and as such, is governed by your policies. We retain data for the term of our contract within EngagementHQ and remove data from the platform within six months of a contract ending.

We have strict data access rules in place with detailed logging to prevent theft and misuse. Access is limited to key personnel involved in maintaining our services and support. Interaction with your data is only at your request. EngagementHQ provides role-based access controls with unique usernames and one-way password encryption to help you manage your own logins. SSL certificates and Single Sign On integration are available for further protection.

Data is stored within a mySQL database on AWS RDS with attachments stored within AWS S3. All data stored on AWS RDS is encrypted using AWS provided – AES-256-GCM encryption standards. Amazon RDS has multiple features that enhance reliability for critical production databases, including automated backups, DB snapshots, automatic host replacement, and Multi- AZ deployments.

Network

Our application is hosted on the large, Internet-scale, world-class infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s largest online retailer. AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity. We utilize the Amazon Virtual Private Cloud (VPC) to create an isolated ecosystem for EngagementHQ.

Hosting Infrastructure

Your EngagementHQ site is hosted on Amazon Web Services (AWS) infrastructure within your jurisdiction as below:

Country Hosting Location
Australia AWS, Asia Pacific (Sydney)
New Zealand AWS, Asia Pacific (Sydney)
Canada AWS, Canada (Central)
United Kingdom AWS, EU (London)
United States of America AWS, US West (Northern California)

AWS is the leading cloud services provider in the world. Their suite of products and services, security controls, scalability, reliability, astonishing number of datacenters, flexibility and continued innovation make them the absolute best choice for hosting in the cloud.

AWS cloud infrastructure meets the requirements of an extensive list of global security standards, including ISO 27001 and SOC. See the AWS Compliance page for more information.

Availability and disaster recovery

We guarantee 99.75% availability and our uptimes have historically remained above “three 9s” (99.9%). Our guarantee is backed by our SLAs. Even though we take all conceivable measures to ensure our service to you is uninterrupted, as with life, major events completely beyond our control can interrupt our service. We take nightly backups and have a well-tested recovery plan in place to minimize potential disruption from major events.

Our Disaster Recovery plan is tested annually or when there is a major change in our environment, either to our infrastructure or application. Lessons learned from these tests are incorporated back into the plan.

Accessibility

EngagementHQ is compliant with version 2.1 of the Web Content Accessibility Guidelines (WCAG 2.1) to Level AA standards. An independent third party carries out a comprehensive Accessibility audit of EngagementHQ once a quarter. Results of the latest audit are available upon request.

While the guidelines set out in WCAG 2.1 recognize that it is not possible to conform for some types of content, we have undertaken a commitment to continually work on this and leverage new technology to further improve accessibility. We do this by keeping up to date with the latest advances in accessibility techniques and acting on recommendations from the quarterly audits. We also treat any issues identified by clients or participants as a matter of urgency and remain responsive to address the issues.

Device compatibility

EngagementHQ is designed for small and large screen sizes, providing an accessible and full functionality experience for the community from mobile phones, tablets, and desktop devices. EngagementHQ supports the full range of major browsers including:

  • Microsoft Edge
  • Chrome 40 and above
  • Firefox 35 and above
  • Safari 7 and above
BEGIN THE JOURNEY OF DIGITAL TRANSFORMATION

Ready to deliver exceptional outcomes?

Book a demo