How Gravity protects customer data and platform integrity. The technical and organizational measures we apply, the audits we plan, and how to escalate concerns.
Gravity is built by XAI Technologies Pvt Ltd in Bangalore, India. This page describes the security controls that apply to the Gravity platform, the production environment, and customer data. It supports our Data Processing Addendum and our Privacy Policy.
1.1. Gravity executes AI agents that take real actions on real services. Security is not an add-on; it is the precondition for the product. Our security program is designed around three commitments:
2.1. The security program is owned by the security and engineering leadership team until a dedicated CISO is appointed, with formal hand-off documented as the team grows. Day-to-day responsibilities include risk assessment, vendor review, incident response, and policy upkeep.
2.2. We maintain an internal information security policy aligned with ISO/IEC 27001 Annex A control objectives, supplemented by the AICPA Trust Services Criteria (Security, Availability, Confidentiality).
2.3. All personnel with production access complete security awareness training before access is granted and at least annually thereafter.
| Control | Description |
|---|---|
| Encryption in transit | TLS 1.2 minimum for all client and server-to-server traffic; HSTS preload pending. Modern cipher suites only; SSLv3, TLS 1.0, and TLS 1.1 are disabled. |
| Encryption at rest | AES-256 (or stronger) for all production databases and object storage. Backups are encrypted with separate keys. |
| Key management | Cloud-provider managed KMS with envelope encryption. Production keys are scoped per service; key rotation policy in line with provider best practices. |
| Data minimization | Agent inputs and outputs are retained only for the duration documented in the Privacy Policy § 5. Production logs that contain personal data are redacted at ingestion where feasible. |
| Backups | Daily encrypted backups of production databases. Recovery procedures are tested at least quarterly. |
| Secrets | Production secrets live in a managed secrets vault. Source repositories are scanned for accidental commits; pre-commit hooks block obvious leaks. |
5.1. The marketing site (gravity.fast) runs on Cloudflare Workers and Pages with Cloudflare's WAF, DDoS protection, and Bot Management enabled.
5.2. Product workloads will run on AWS (ap-south-1, Mumbai, primary; us-east-1 secondary) and Supabase (Mumbai). Refer to /sub-processors for the current list.
5.3. Networking: VPCs are segmented per environment (dev / staging / production); security groups apply least-privilege ingress; outbound traffic is restricted to allow-listed destinations where feasible.
5.4. Patching: managed services receive vendor-supplied patches automatically. Self-managed components are patched on a published cadence with critical CVEs addressed within seven days.
7.1. Each Agent execution runs with a per-execution context that includes (a) the User's prompt and uploaded content, (b) the OAuth scopes the User has granted to connected services, and (c) the Agent's authored prompts.
7.2. Agents do not run inside the same security context as the platform control plane. Builder-authored prompts cannot escalate beyond the scopes the User granted.
7.3. Inputs and outputs are filtered against safety policies described in the Acceptable Use Policy. Egregious matches are blocked at runtime.
7.4. Prompt-injection mitigations include input sanitization, scope-checking before any external action, and user confirmation prompts for high-impact actions (e.g., sending email, posting public content, transferring funds).
7.5. Builders cannot access raw User Content; performance and quality signals are aggregated and anonymized.
8.1. Every sub-processor is reviewed against a security baseline before activation. The current sub-processor list is published at /sub-processors.
8.2. Where available, we prefer providers with SOC 2 Type II, ISO 27001, or equivalent third-party assurance. Provider-specific reports are reviewed and on file with the security owner.
8.3. AI model providers are configured to use endpoints that exclude customer data from training, where the provider offers that option.
9.1. Production telemetry feeds a central log store. Alerting covers authentication anomalies, unusual data egress, error spikes, and known abuse signatures.
9.2. An incident response plan defines roles, severity levels, communication channels, and time-bound milestones (detection, containment, eradication, recovery, lessons learned).
9.3. If a Personal Data Breach affects Customer Personal Data, Gravity notifies affected Customers without undue delay and within seventy-two (72) hours of becoming aware, per the DPA § 10.
9.4. Major outages are reported on the public status page (status.gravity.fast, available at general availability) and via email to affected accounts.
| Framework | Status |
|---|---|
| EU GDPR / UK GDPR | Operating in accordance with GDPR principles. DPA available; SCCs adopted for cross-border transfers. |
| India DPDPA, 2023 | Operating in accordance with DPDPA principles. Grievance Officer designated. |
| CCPA / CPRA (California) | Operating as a Service Provider; GPC honored. |
| SOC 2 Type II | On the roadmap. Targeted within 12 months of public launch. |
| ISO/IEC 27001 | Aligned with control objectives; certification on the roadmap (year 2–3). |
| PCI DSS | Out of scope — Gravity does not store cardholder data. Razorpay and Stripe handle PCI obligations as merchants of record / processors. |
| HIPAA | Gravity is not a HIPAA-eligible service today. Do not submit Protected Health Information. |
| EU AI Act | Tracking obligations for general-purpose AI integration and high-risk-use restrictions, reflected in the Acceptable Use Policy § 5. |
If you have discovered a vulnerability in the Platform or in any Gravity-controlled property, please report it through our Responsible Disclosure program. We commit to acknowledging valid reports within 72 hours and to working in good faith with researchers who follow the disclosure process.
XAI Technologies Pvt Ltd (operating as Gravity AI) — Security Team
Security: security@gravity.fast
Privacy / DPO: dpo@gravity.fast
Registered office: BSR Meghana Residency, 17th B Main Rd, KHB Colony, 6th Block, Koramangala, Bengaluru, Karnataka 560095, India.