This document is provided for general information purposes and does not constitute legal advice. If you require advice tailored to your organisation, please consult qualified legal counsel in Zimbabwe.
Security is central to GRCPro. Organisations across Zimbabwe trust us with sensitive governance, risk, and compliance data. This page summarises how GRCPro (Private) Limited protects that information. For privacy-specific rights and data handling, see our Privacy Policy.
1. Security Programme
We maintain an information security programme aligned with recognised industry practices and informed by Zimbabwe's Cyber and Data Protection Act [Chapter 12:07]. Controls are reviewed regularly and adapted as threats, regulations, and customer requirements evolve.
2. Encryption
- In transit: connections to GRCPro use TLS 1.2 or higher to encrypt data between your browser and our servers.
- At rest: customer data stored in our production environment is encrypted using industry-standard algorithms on supported infrastructure.
- Secrets: credentials, API keys, and integration tokens are stored using secure hashing or vault mechanisms as appropriate.
3. Access Control
GRCPro implements role-based access control (RBAC) so users only access modules and records permitted by their role. Features include:
- Granular permissions for risk, compliance, governance, audit, and administration functions.
- Team and business-unit scoping for multi-department organisations.
- Session management with automatic timeout on inactivity.
- Administrative audit trails for sensitive actions.
4. Authentication
We support secure password policies configurable by administrators, including minimum length and complexity requirements. Multi-factor authentication (MFA) and single sign-on (SSO) integrations may be available on enterprise plans. Failed login attempts are monitored to deter brute-force attacks.
5. Infrastructure and Hosting
Production systems run on hardened infrastructure with network segmentation, firewalls, and monitored access. Backups are performed on a scheduled basis and tested for recoverability. We use reputable cloud and hosting providers that maintain their own security certifications and physical controls.
6. Logging and Monitoring
We log authentication events, administrative changes, and security-relevant platform activity. Logs are protected against tampering and reviewed for anomalies. Customers can access audit trails within the application for their own compliance and investigation needs.
7. Secure Development
Application changes follow controlled release processes. We apply security considerations during design and code review, dependency monitoring, and pre-production testing. Vulnerability findings are prioritised and remediated based on severity.
8. Incident Response
We maintain an incident response procedure for suspected security events. If we determine that a breach affecting customer personal information has occurred, we will notify affected customers and relevant authorities as required by Zimbabwean law, including obligations under the Cyber and Data Protection Act, without undue delay.
9. Compliance Alignment
GRCPro is designed to support customer compliance programmes. Our own controls are mapped to frameworks commonly used by enterprises in Zimbabwe and the region, including:
- ISO/IEC 27001 information security management principles.
- NIST Cybersecurity Framework concepts for identify, protect, detect, respond, and recover.
- Requirements relevant to regulated sectors (financial services, telecommunications, and public sector) as applicable to our role as a software provider.
Formal certification status, if any, is available to enterprise customers under NDA upon request.
10. Customer Responsibilities
Security is a shared responsibility. You should:
- Use strong, unique passwords and enable MFA where available.
- Assign least-privilege roles to users and remove access when staff leave.
- Protect devices used to access GRCPro and avoid shared or public terminals for sensitive work.
- Report suspected security incidents promptly.
11. Responsible Disclosure
If you believe you have discovered a security vulnerability in GRCPro, please report it responsibly to security@grcpro.net. Include sufficient detail to reproduce the issue. We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate. We do not pursue legal action against good-faith security research conducted in accordance with this policy.
12. Contact
- Security team: security@grcpro.net
- Privacy enquiries: privacy@grcpro.net
For urgent active incidents affecting your production tenant, contact your account manager or use the in-app support channel if available on your plan.