GrayMar Strategies

Trust & Security

What we hold, what we build, and what is roadmap

Procurement reviewers ask direct questions; this page gives direct answers. We hold no certifications yet and we say so. What exists instead is architecture: controls enforced by the software, an audit trail that proves them, and a written roadmap for every attestation a university review will ask about.

Measured availability, not an SLA

We do not offer an uptime-percentage SLA today, and we will not quote one we cannot attest. Instead, a synthetic check exercises the real production write path every 15 minutes and we publish exactly what it measures. The number below is a measurement shared for transparency, not a contractual guarantee. During pilots, support commitments are staffed commitments written into the agreement: critical issues acknowledged within four business hours.

Live measurement available at our status page.

Certifications: the honest table

If you ask forStraight answerWhat exists instead, today
SOC 2Not held yet; on the roadmap, engagement planned at pilot conversion.The control substance without the attestation: database-level tenant isolation, a tamper-evident audit trail, encrypted secret storage, and a written security response pack available on request.
HIPAA / BAANo HIPAA program; we do not sign BAAs.Cavi for Disability Services handles education records under FERPA framing, not covered-entity clinical workflows. Your counsel confirms categorization; our architecture facts are documented for that review.
VPAT / accessibility conformanceNo third-party certification yet; a vendor VPAT 2.5 draft self-assessment is available on request.Accessibility is an enforced engineering practice: a WCAG-oriented review checklist gates UI changes and automated accessibility checks run in our CI pipeline. A third-party conformance report is a pilot-conversion roadmap item.
Penetration testNone on file yet; planned at pilot conversion.We disclose our remediation history rather than hiding it: previously found-and-fixed issues are documented as evidence the controls are audited, not assumed.
FedRAMP / StateRAMPNot held and not planned.We say so plainly rather than implying otherwise.

A questionnaire-grade security and governance response pack, a compliance roadmap one-pager, the VPAT draft, and our incident response playbook are available to reviewers on request via hello@graymarstrategies.com.

The architecture that stands in for the logos

  • Tenant isolation at the database layer. Every tenant-scoped table enforces row-level security, and privileged access paths append to a tenant-visible access ledger.
  • Tamper-evident audit. Disability services case events are hash-chained and append-only for every role; a verification routine re-walks the chain to detect tampering, and any case history reconstructs on demand.
  • FERPA-safe by construction. Outbound payloads pass a deny-by-default allow-list per recipient; the faculty letter schema has no diagnostic fields, so a letter cannot carry a diagnosis.
  • Humans decide. AI drafts and routes; client-facing sends wait for human approval, and a closed prohibited-automation register bars the system from eligibility scoring, credibility judgments, or deciding a case.
  • Data lifecycle you can verify. Deletion produces hashed receipts; retention classes are applied and pruned automatically; subprocessors are inventoried in writing.