Trust & Security
What we hold, what we build, and what is roadmap
Procurement reviewers ask direct questions; this page gives direct answers. We hold no certifications yet and we say so. What exists instead is architecture: controls enforced by the software, an audit trail that proves them, and a written roadmap for every attestation a university review will ask about.
Measured availability, not an SLA
We do not offer an uptime-percentage SLA today, and we will not quote one we cannot attest. Instead, a synthetic check exercises the real production write path every 15 minutes and we publish exactly what it measures. The number below is a measurement shared for transparency, not a contractual guarantee. During pilots, support commitments are staffed commitments written into the agreement: critical issues acknowledged within four business hours.
Live measurement available at our status page.
Certifications: the honest table
| If you ask for | Straight answer | What exists instead, today |
|---|---|---|
| SOC 2 | Not held yet; on the roadmap, engagement planned at pilot conversion. | The control substance without the attestation: database-level tenant isolation, a tamper-evident audit trail, encrypted secret storage, and a written security response pack available on request. |
| HIPAA / BAA | No HIPAA program; we do not sign BAAs. | Cavi for Disability Services handles education records under FERPA framing, not covered-entity clinical workflows. Your counsel confirms categorization; our architecture facts are documented for that review. |
| VPAT / accessibility conformance | No third-party certification yet; a vendor VPAT 2.5 draft self-assessment is available on request. | Accessibility is an enforced engineering practice: a WCAG-oriented review checklist gates UI changes and automated accessibility checks run in our CI pipeline. A third-party conformance report is a pilot-conversion roadmap item. |
| Penetration test | None on file yet; planned at pilot conversion. | We disclose our remediation history rather than hiding it: previously found-and-fixed issues are documented as evidence the controls are audited, not assumed. |
| FedRAMP / StateRAMP | Not held and not planned. | We say so plainly rather than implying otherwise. |
A questionnaire-grade security and governance response pack, a compliance roadmap one-pager, the VPAT draft, and our incident response playbook are available to reviewers on request via hello@graymarstrategies.com.
The architecture that stands in for the logos
- Tenant isolation at the database layer. Every tenant-scoped table enforces row-level security, and privileged access paths append to a tenant-visible access ledger.
- Tamper-evident audit. Disability services case events are hash-chained and append-only for every role; a verification routine re-walks the chain to detect tampering, and any case history reconstructs on demand.
- FERPA-safe by construction. Outbound payloads pass a deny-by-default allow-list per recipient; the faculty letter schema has no diagnostic fields, so a letter cannot carry a diagnosis.
- Humans decide. AI drafts and routes; client-facing sends wait for human approval, and a closed prohibited-automation register bars the system from eligibility scoring, credibility judgments, or deciding a case.
- Data lifecycle you can verify. Deletion produces hashed receipts; retention classes are applied and pruned automatically; subprocessors are inventoried in writing.
