/zero-trust /air-gapped /sha-256 /sovereign /rbac
SECURITY

Security Policy

LAST UPDATED: 30 MAY 2026

1. Security Philosophy

Security is not a feature of Grosint products — it is the architectural foundation. Every product in the Grosint suite is designed to operate within a zero-trust, sovereign deployment model where intelligence data never leaves the client's infrastructure boundary.

We do not offer cloud-hosted or SaaS versions of our intelligence products. There is no "Grosint Cloud." Every deployment is on-premise, under the client's physical and administrative control.

2. Deployment Model

ON-PREMISE

All products deploy as Docker containers on client-owned hardware. No external cloud infrastructure required.

AIR-GAP CAPABLE

Products function fully without internet connectivity. All models, databases, and dependencies are pre-loaded for offline operation.

ZERO PHONE-HOME

No telemetry, no usage reporting, no licence check callbacks. Once deployed, the system operates independently.

3. Data Sovereignty

  • Intelligence data is processed and stored exclusively within the client's infrastructure
  • No data is transmitted to Grosint servers, third-party services, or foreign infrastructure
  • All AI/ML inference runs on locally-hosted models with no external API dependencies
  • Database engines, message brokers, and object storage are all self-hosted open-source components
  • No foreign SaaS dependencies in the data pipeline

4. Access Control

All platform products implement role-based access control (RBAC) with the following principles:

  • Principle of least privilege — users are granted only the minimum access required for their operational role
  • Per-query authorization — every lookup and query is individually authorized and logged
  • No standing permissions — elevated access is time-bounded and purpose-specific
  • Classification-aware — data access respects security classification levels
  • Complete audit trail — every action is logged with user identity, timestamp, and operation details

5. Cryptographic Integrity

  • SHA-256 signing — all stored records and evidence bundles are cryptographically signed
  • Write-once storage — raw intelligence payloads are stored in immutable object storage
  • Evidence chain integrity — evidence bundles maintain an unbroken chain of custody from raw data to final alert, designed to comply with Indian Evidence Act Section 65B requirements
  • Tamper detection — any modification to stored records is detectable through hash verification

6. Network Security

In standard on-premise deployments:

  • All inter-service communication occurs within the deployment boundary
  • No inbound network ports are required from external networks
  • Outbound connections (for OSINT collection) are configurable and can be restricted or routed through agency-approved proxies
  • Air-gapped deployments have zero network connectivity — all data is pre-loaded
  • TLS encryption for all internal API communication

7. Open-Source Infrastructure

All infrastructure components are open-source and auditable. There are no proprietary black-box dependencies in the data pipeline. This means:

  • No vendor lock-in — every component can be replaced or audited independently
  • Source code for infrastructure components is publicly available for security review
  • No licence key servers or external activation dependencies
  • Full compatibility with government security audits and accreditation processes

8. Vulnerability Disclosure

If you discover a security vulnerability in any Grosint product or this website, please report it responsibly:

Security Contact

Email: contact@grosint.in
Subject line: SECURITY — [Brief Description]

We will acknowledge receipt within 48 hours and provide an initial assessment within 7 business days. We request that you do not publicly disclose the vulnerability until we have had an opportunity to address it.

9. Compliance Framework

Our security architecture is designed to align with:

  • Information Technology Act, 2000 and associated rules
  • Digital Personal Data Protection Act, 2023 (DPDP Act)
  • CERT-In guidelines for responsible vulnerability disclosure
  • Indian Evidence Act, 1872 — Section 65B (electronic evidence)
  • Defence procurement security requirements as applicable
  • MeitY guidelines on government cloud and data security

10. Website Security

This website (grosint.in) implements the following security measures:

  • HTTPS with HSTS (HTTP Strict Transport Security)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy restricting camera, microphone, and geolocation access
  • Subresource Integrity (SRI) hashes on critical external scripts
  • No server-side code execution — static site deployment only