Security

Governance

Growth Protocol’s Security team is responsible for establishing security policies and controls, monitoring adherence to those controls, and demonstrating our security and compliance posture to external third-party auditors.

Least Privilege Access

Access to systems and data is strictly limited to personnel with a legitimate business need. Permissions are granted based on the principle of least privilege.

Defense-in-Depth

We implement layered and comprehensive security controls to reduce risk and increase resilience against potential threats.

Consistency

Security controls are applied uniformly across all systems, environments, and operational areas of the organization.

Continuous Maturation

We iteratively refine our security controls to enhance effectiveness, improve auditability, and reduce operational friction over time.

Data Protection

Growth Protocol applies strong technical and organizational safeguards to protect customer data throughout its lifecycle.

Data at rest

All data stores containing customer data or other data deemed sensitive are encrypted at rest. Sensitive data is additionally protected using field-level encryption where appropriate.

Access to data stores follows a zero-trust policy and is strictly limited to users with a verified business need.

Data in transit

Growth Protocol uses TLS 1.2 or higher for all data transmitted over potentially insecure networks.

Server TLS keys and certificates are managed by AWS and deployed through Application Load Balancers.

Secret Management

Application secrets are encrypted and stored securely using GCP Secrets Manager and Vault. Access to secrets is strictly limited and continuously monitored

Encryption and access keys are regularly rotated to reduce risk and prevent unauthorized or malicious access.

Product Security

Penetration Testing

Growth Protocol engages, at least annually, with leading third-party penetration testing firms.

All areas of the Growth Protocol product and cloud infrastructure are in scope for these assessments.

Testers are provided with full access required to maximize coverage and effectiveness.

Vulnerability Scanning

Growth Protocol performs vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC), including:

Static application security testing (SAST) during pull requests and on an ongoing basis

Malicious dependency scanning to prevent the introduction of malware into the software supply chain

Network vulnerability scanning on a regular basis

Enterprise Security

Endpoint Protection

All corporate devices are centrally managed and equipped with device management software and anti-malware protection. Endpoint security alerts are monitored 24/7/365.

Secure Remote Access

Remote access to internal resources is secured using a modern VPN platform. Malware-blocking DNS services are used to protect employees and their devices while browsing the internet.

Security Education & Awareness

All employees receive comprehensive security training upon onboarding and annually through educational modules within Growth Protocol’s platform.

New employees attend mandatory onboarding sessions covering key security principles, and engineers receive additional training focused on secure coding practices.