Data and Information Security

Find out how Granicus protects and secures your data.

Nathan Connors avatar
Written by Nathan Connors
Updated over a week ago


We take the protection of your information and the information of your community seriously. We are committed to complying with relevant standards in all of the jurisdictions in which we do business and have implemented industry best practices and policies to support this commitment.

Granicus supports hundreds of customers across Australia, Canada, UK, USA and New Zealand. Our clients trust us with large amounts of sensitive information, stemming from a range of industries including government and healthcare. 

What follows is an outline of the steps we have taken to secure our clients' data and help members of your community have confidence in our EngagementHQ platform.


ISO 27001 Compliance

We have successfully passed external audits for ISO 27001, a global standard for information security management. All compliance aspects have been tested, and reviewed and we received formal recognition in March 2018.

We comply with the European Union’s General Data Protection Regulation (GDPR). 

The GDPR protects the fundamental right to privacy and the protection of personal data for people living in the European Union. It enforces robust requirements that have raised the standards for data protection, security, and compliance.


Our applications are continually monitored and tested for security weaknesses by our Engineering team. We perform regular and ongoing internal application security assessments to discover and mitigate potential weaknesses based on OWASP rating and methodology. We use automated tools as well as manual testing processes to ensure we are as secure as possible at all times. 

Application Security and Database

The operating systems and databases running our servers are continually monitored and patched with the latest security fixes. The web framework is continually monitored and patched by our internal development teams. Results of the latest VAPT are available upon request.

Data Disclosure

We have strict data access rules in place with detailed logging to prevent theft and misuse. 

Access is limited to key personnel involved in maintaining our services and support. Interaction with client data is only at the request of the client. EngagementHQ provides role-based access controls with unique usernames and one-way password encryption to help clients manage their own logins. 

SSL certificates and Single Sign-On integration are available for further protection. Data is stored within a mySQL database on AWS RDS with attachments stored within AWS S3. Amazon RDS has multiple features that enhance reliability for critical production databases, including automated backups, DB snapshots, automatic host replacement, and Multi-AZ deployments.

Data in transit is secured via SSL/TLS connections. Basic SSL Certificates are provided as part of our solution. Extended Validation SSL certificates are provided at an optional extra. We have TLS enabled for all our HTTPS connections. EHQ supports only TLS 1.2 and above.

Network  Security

Our application is secured through world-class security infrastructure provided by Amazon Web Services (AWS). AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.

The AWS network uses proprietary mitigation techniques providing significant protection against traditional security issues such as Distributed Denial Of Service (DDoS) Attacks, Man in the Middle (MITM) Attacks, IP Spoofing, Port Scanning, etc. Additionally, our inbound firewalls are configured to permit only the absolute minimum connectivity required to provide service to our clients. Any changes to these access rules require authorization.


Hosting Infrastructure

All EngagementHQ sites are hosted on Amazon Web Services (AWS) infrastructure. AWS is the leading cloud services provider in the world. Their suite of products and services, security controls, scalability, reliability, astonishing number of data centres, flexibility and continued innovation make them the absolute best choice for hosting in the cloud.

AWS Cloud infrastructure meets the requirements of an extensive list of global security standards, including ISO 27001 and SOC. See the AWS Compliance page for more information.

Our key hosting jurisdictions are listed below;

Australia - AWS, Asia Pacific (Sydney)

Canada - AWS, Canada (Central)

United Kingdom - AWS, EU (London)

United States of America - AWS, US West (Northern California)

Availability and Disaster Recovery

We guarantee 99.75% availability and our up-times have historically remained above “three 9s” (99.9%). Our guarantee is backed by our Service Level Agreements (SLAs). Even though we take all conceivable measures to ensure our service to you is uninterrupted, as with life, major events completely beyond our control can interrupt our service. We take nightly backups and have a well-tested recovery plan in place to minimize potential disruption from major events. Our Disaster Recovery Plan is tested annually or when there is a major change in our environment, either to our infrastructure or application. 

Service and Issues Response

Our Client Experience Team acts as your first point of contact for service issues and software bugs and fixes will provided by our development team. When faults are notified the following minimum service standards are in place:

  • For issues critical to the core functions of the site (i.e. website is unavailable), a response will be immediate and a fix will be implemented within four hours.

  • For minor critical issues to the core functions of the site (i.e. part of the website is unavailable or not operating efficiently for more than four hours), a response will be within two hours and a fix will be implemented within one business day.

  • For non-critical issues to the core functions of the site (i.e. part of the website is unavailable or not operating efficiently with only a material impact on the promotion of your engagement projects), a response time is not mandated but a fix will be implemented within two business days.

  • For minor non-critical issues to the core functions of the site (i.e. a problem which has little or no impact to the efficiency of users), a response time is not mandated but a fix will be implemented as soon as practical but no later than 10 business days.


EngagementHQ is compliant with version 2.0 of the Web Content Accessibility Guidelines (WCAG 2.1) to Level AA standards. Results of the latest audit are available upon request from our support desk.

While the guidelines set out in WCAG 2.1 recognize that it is not possible to confirm for some types of content, we have undertaken a commitment to continually work on this and leverage new technology to further improve accessibility.

We keep up to date with the latest advances in accessibility techniques and acting on recommendations from the quarterly audits. We also treat any issues identified by clients or participants as a matter of urgency and remain responsive to address the issues.

Device and Browser Compatibility

EngagementHQ is designed for all screen sizes providing an accessible and full functionality experience for the community. 

EngagementHQ supports the current and last prior versions of the following browsers (desktop and mobile):

  • Microsoft Edge

  • Chrome

  • Firefox

  • Safari

Contact our support team if you need any further assistance via chat or email

Did this answer your question?