Security
At CoreStream GRC, safeguarding the security and privacy of your data is our top priority.

Security & trust
Our platform is designed with a security-first approach, employing advanced measures to protect your information at every level, ensuring trust, resilience, and compliance.

Trusted and preferred by global brands
Data protection and security
CoreStream GRC is fully compliant with GDPR and applicable data privacy laws. We use CoreStream GRC Information Asset Management to record and manage our company’s information assets, Records of Processing Activities (ROPA), associated information flows, Data Protection Impact Assessments, risks and actions.
Frameworks & standards
At CoreStream GRC, we take a comprehensive approach to security and data protection, with rigorous processes in place to ensure the integrity and confidentiality of your information:
Audits and Certifications
- CoreStream GRC is audited annually as part of our ISO 27001 certification, which includes assessments of our records management and data protection practices.
- We hold ISO 27001, Cyber Essentials Plus certifications, and a SOC 2 Type 2 report for security and availability. These certifications are updated annually following thorough external audits, and copies can be provided upon request.
Penetration Testing and Security Validation
- CoreStream GRC engages independent external CREST/CHECK-accredited providers to conduct penetration testing at least once a year.
- Clients are also encouraged to perform their own security testing, which provides additional verification and helps identify any areas for improvement.
- A copy of the most recent penetration test report is available upon request.
Continuous Vulnerability Management
- Daily vulnerability scanning is in place to proactively identify new threats. We address any vulnerabilities as soon as they are detected, ensuring your data remains secure at all times.
User access and security
Authentication is almost always via Single Sign On. We support both SAML 2.0 and OIDC protocols and can integrate via any identity provider. If a client cannot utilize single sign on, we offer username and password-based access, which is secured using multifactor authentication using a soft token (TOTP protocol) from an authenticator app (such as MS, Google, Authy, or any authenticator app that adheres to TOTP standards).
Logging capabilities – The system offers detailed logging capabilities both within the operational and system data:
- Operational data logging: All user interactions are fully audit-trailed in version history, and this can be viewed through the front-end interface. Audit trail data can also be surfaced in reporting dashboards for trend analysis purposes. The audit trail captures who made the change, when, and the before / after values.
- System Data Logging: Many of these logs are available directly through the platform (for users with sufficient permissions), and include Error / Exception Logs, Login register, Failed login attempts, Export logs, Email logs. More technical operating system and database logs are also held.
- Rate Limiting: This is in place as a form of DDoS protection on our DNS servers.
- Encryption: CoreStream GRC encrypts all data, end to end, both when in transit and at rest. Backups are also encrypted. We utilize 256-bit AES cyphers.
Additional information can be provided on security if required, including architecture diagrams, policies etc.
Our standard backup policy is to take 7 daily (full) backups, and 6 monthly. We can configure policies on a client-by-client basis if this is not sufficient.
Backups are held off-site in an encrypted format, and authorized CoreStream GRC administrators only have access to perform restore operations. Backups cannot be deleted without a formal request, requiring secondary (senior) authorization.
In addition, clients can build their own exports for ingestion into other systems as required
-
CoreStream GRC Earns SOC 2® Type 2 for Security and Availability: Setting the Standard for Data Protection
At CoreStream GRC, we place the protection of our clients’ data at the very top of our priorities. That’s why we’re proud to announce that in January 2025, we’ve achieved SOC 2 Type 2 for Security and Availability. This milestone reflects 9 months of dedicated effort by our team to meet—and exceed—rigorous industry standards. What…
-
Understanding GDPR: Key Principles and Practical Steps for Compliance
It’s been 8 months since the EU General Data Protection Regulation (GDPR) came into force, and organisations are becoming increasingly aware that GDPR is not a one-time project.
-
How CoreStream GRC achieved ISO27001 certification in just 6 weeks (Case study by The British Assessment Bureau)
The fast track to ISO 27001: How CoreStream achieved certification in just 6 weeks (Case study by The British Assessment Bureau) CoreStream GRC recently achieved ISO 27001 certification with BAB. Very much a natural step for the company, CoreStream GRC themselves provide software products based around Governance, Risk and Compliance (GRC) including IT Risk Management,…
Supporting your preferred frameworks
