Document 01 of 04 · Technical Design · Confidential
Security Architecture
The Grid. Platform — Complete Technical Security Design
○ Draft — Pending Engineering Review
1.0
Executive Summary
The Grid. is a global creative platform connecting 840,000+ creators across 12 disciplines in 190 countries. The platform handles real financial transactions, sensitive personal identity data for PRO registrations across 180+ territories, multi-track audio recording sessions, OAuth connections to nine major social platforms, and a physical goods marketplace with global shipping. This document defines the complete security architecture required to protect creators, their work, and their earnings.
Security is treated as a foundational infrastructure requirement, not a feature. Every architectural decision prioritises the three core security principles: confidentiality of creator data and earnings, integrity of financial transactions and published work, and availability of the platform for creators who depend on it for their livelihood.
2.0
Threat Model
The following threat actors and attack vectors have been identified as the primary risks to The Grid. platform:
ThreatLikelihoodImpactPriorityPrimary Mitigation
Creator Account Takeover
Credential stuffing, SIM-swap, phishing
Hardware / app-based 2FA mandatory for accounts with earnings. Anomaly detection on login patterns.
Wallet & Payout Fraud
Fake bank substitution, social engineering support
48hr freeze on payout destination changes. Re-verification required. Support team cannot change bank details without secondary approval.
OAuth Token Compromise
Cascading access to 9 social platforms
Minimal scope OAuth grants. Per-platform token revocation. Encrypted token storage. Automatic rotation every 30 days.
PRO Data Breach
IPI numbers, bank details, personal identity data
AES-256 encryption at rest. Never exposed via API. GDPR-compliant data minimisation. Separate encrypted datastore.
Recording Session Hijacking
Uninvited participants, audio injection
E2E encrypted sessions. Invite-only rooms with expiring tokens. Host-only admit controls. No guest join without explicit confirmation.
Content Scraping at Scale
IP theft from Creative Market, music, podcasts
Forensic watermarking on all downloads. Rate limiting on API. Bot detection (Cloudflare). DMCA response pipeline.
DAW Bridge Compromise
Local app with elevated OS permissions
Code-signed binaries. Sandboxed execution. Independent security audit of bridge codebase. Automatic update enforcement.
DDoS / Availability Attack
Platform disruption during key cultural moments
Cloudflare DDoS mitigation. Multi-region deployment. Auto-scaling infrastructure. 99.9% SLA target.
3.0
Authentication & Access Control
The Grid. implements a defence-in-depth authentication model with multiple layers of verification scaled to account risk level.
AUTH-001
Multi-Factor Authentication
App-based TOTP (Authenticator) or hardware key (FIDO2/WebAuthn) mandatory for all accounts with cumulative earnings above $100 or 1,000+ followers. SMS-based 2FA explicitly prohibited due to SIM-swap risk.
Required Day 1
AUTH-002
Geographic Anomaly Detection
Real-time login location monitoring. Automatic account freeze and re-verification trigger when login origin deviates significantly from established patterns. Creator notified immediately via email and in-app.
Required Day 1
AUTH-003
Session Management
JWT tokens with 15-minute expiry and 7-day refresh token rotation. Refresh token invalidation on logout. Concurrent session limits with device management dashboard for creators.
Planned Q3 2026
AUTH-004
OAuth Minimal Scope
All social platform integrations request minimum necessary OAuth scopes. Scopes explicitly enumerated in consent screens. Per-platform token revocation available from creator dashboard. Tokens rotated every 30 days.
Planned Q3 2026
AUTH-005
Privileged Access Management
Internal admin accounts require hardware key authentication. Zero-trust architecture: engineers access production systems via short-lived credentials only. All privileged actions logged and reviewed.
Required Day 1
AUTH-006
Payout Destination Controls
48-hour cooling period on all payout destination changes. Change triggers email verification to original address and secondary verification to mobile. Support team cannot override without dual-approval from two senior staff members.
Required Day 1
4.0
Data Encryption Standards
All sensitive data is encrypted in transit and at rest using current industry standard algorithms. The following encryption standards apply across all Grid. services:
ENC-001
Data at Rest
AES-256-GCM encryption for all data at rest. Separate encryption keys per data classification tier. PRO identity data and financial data stored in isolated encrypted datastores with independent key management.
Required Day 1
ENC-002
Data in Transit
TLS 1.3 mandatory for all connections. HSTS with preloading. Certificate Transparency monitoring. HTTP Strict Transport Security with 1-year max-age. No fallback to TLS 1.2 or below.
Required Day 1
ENC-003
Recording Session E2E
End-to-end encryption on all podcast recording sessions using DTLS-SRTP. Session keys generated per-session, never transmitted to Grid. servers. Host controls key distribution to admitted participants only.
Required Day 1
ENC-004
Key Management
Hardware Security Module (HSM) for master key storage. AWS KMS or equivalent for key lifecycle management. Automatic key rotation every 90 days. Key access logged and audited quarterly.
Planned Q3 2026
5.0
Infrastructure Security
INFRA-001
Multi-Region Deployment
Primary deployment across 3 geographic regions (EU, US, APAC) for resilience and data residency compliance. Automatic failover with RTO < 15 minutes and RPO < 1 hour.
Planned Q4 2026
INFRA-002
DDoS Mitigation
Cloudflare Enterprise for DDoS mitigation, WAF, and bot management. Rate limiting on all public API endpoints. Automatic traffic scrubbing for volumetric attacks. 99.9% uptime SLA.
Required Day 1
INFRA-003
Network Segmentation
Production, staging, and development environments strictly isolated. No shared credentials between environments. Wallet and PRO data services in separate VPCs with limited ingress rules. Zero-trust network access for internal services.
Required Day 1
INFRA-004
Vulnerability Scanning
Automated SAST and DAST scanning in CI/CD pipeline. No deployment to production with critical or high severity findings unresolved. Dependency vulnerability scanning via Snyk or equivalent. Weekly full-stack scans.
Planned Q3 2026
6.0
Incident Response Plan
The Grid. maintains a documented incident response plan following the NIST framework: Identify, Protect, Detect, Respond, Recover.
Critical Incident Definition: Any event involving unauthorised access to creator financial data, PRO identity data, or wallet balances. Mandatory notification to affected creators within 72 hours. Regulatory notification as required by GDPR Article 33 and equivalent frameworks.
1
Detection & Triage (0–1 hour)
Automated alerts via SIEM → On-call engineer → Security lead
○Automated alert fires from SIEM or anomaly detection
○On-call engineer confirms and classifies incident severity
○Security lead and CTO notified for P0/P1 incidents
○Incident channel opened in Slack, timeline begins
2
Containment (1–4 hours)
Isolate affected systems → Preserve evidence → Assess scope
○Affected accounts suspended or isolated
○Evidence preserved via forensic snapshot
○Scope of breach determined: accounts affected, data exposed
○Legal and compliance team engaged if creator data involved
3
Notification (4–72 hours)
Creator communication → Regulatory notification → Public disclosure
○Affected creators notified directly within 72 hours
○GDPR Article 33 notification to supervisory authority within 72 hours
○Status page updated with incident information
○Press statement prepared (if public impact)
4
Recovery & Post-Mortem (72h–30 days)
Remediation → Root cause analysis → Process improvement
○Root cause identified and documented
○Fix deployed and verified by independent review
○Post-mortem published internally and externally (blameless)
○Process improvements implemented within 30 days
Document 02 of 04 · Compliance Framework · Confidential
SOC 2 Compliance Framework
Type II Readiness — Trust Service Criteria Mapping
○ In Preparation — Readiness Assessment Underway
1.0
What SOC 2 Means for The Grid.
SOC 2 (System and Organisation Controls 2) is an independent audit standard developed by the American Institute of Certified Public Accountants (AICPA). A SOC 2 Type II report provides independent verification that The Grid. has maintained its security controls consistently over a minimum observation period of six months.
For The Grid., achieving SOC 2 Type II certification is the single most important trust signal we can provide to enterprise customers, Opera as a platform partner, PRO organisations in 180+ territories, and the 840,000 creators who depend on us to protect their earnings, identity, and work.
Why Type II matters more than Type I: SOC 2 Type I only verifies that controls exist at a point in time. Type II verifies they operated effectively over 6–12 months. For a platform handling creator earnings and PRO registration data, Type II is the only meaningful certification.
2.0
Trust Service Criteria Coverage
The Grid. SOC 2 audit will cover all five Trust Service Criteria. The following summarises our control coverage across each criteria:
Security
CC1–CC9
34 controls
Common Criteria
Availability
A1
8 controls
Uptime & SLA
Processing Integrity
PI1
6 controls
Financial Accuracy
Confidentiality
C1
10 controls
Data Protection
Privacy
P1–P8
22 controls
Personal Data
3.0
Key Policy Documents
The following policies form the documentary foundation of The Grid. SOC 2 compliance programme. Each policy must be reviewed annually and acknowledged by all staff.
Information Security Policy
The Grid. is committed to protecting the confidentiality, integrity, and availability of all information assets. This policy applies to all employees, contractors, and third-party vendors with access to Grid. systems.
- All access to production systems requires multi-factor authentication using FIDO2 hardware keys or TOTP authenticator applications
- Production access is granted on a least-privilege basis and reviewed quarterly
- All code changes to production systems require peer review and must pass automated security scanning before deployment
- Security incidents must be reported immediately to the security team via the designated incident channel
- Employees may not store creator personal data on personal devices or unencrypted external media
- Annual security awareness training is mandatory for all staff with system access
Data Classification Policy
The Grid. classifies all data into four tiers based on sensitivity and regulatory requirements:
- Tier 1 — Critical: PRO registration data (IPI/CAE numbers, bank details, national ID), wallet balances, payment card data. AES-256 encryption at rest. Isolated datastore. Access by security-cleared staff only.
- Tier 2 — Confidential: Creator personal data (name, address, email, phone), earnings history, OAuth tokens. AES-256 at rest. Access restricted by role.
- Tier 3 — Internal: Platform analytics, aggregate revenue data, internal communications. Encrypted in transit. Internal access only.
- Tier 4 — Public: Creator profiles, published works, episode listings, market listings. No encryption requirement beyond TLS in transit.
Vendor & Third-Party Risk Management
All third-party vendors with access to Grid. systems or creator data must complete a security assessment before onboarding:
- Vendors handling Tier 1 or Tier 2 data must provide a current SOC 2 Type II report or equivalent (ISO 27001)
- Payment processors must maintain PCI DSS Level 1 compliance at all times
- All vendor contracts must include data processing agreements meeting GDPR Article 28 requirements
- Vendor access is reviewed annually. Unused vendor integrations are decommissioned within 30 days of identification
- Sub-processors must be disclosed to creators in the Privacy Policy with opt-out mechanisms where legally required
4.0
Compliance Roadmap
Q3
Q3 2026 — Foundation
Months 1–3 of the observation period
○Deploy Vanta or Drata compliance automation platform
○Complete gap assessment against SOC 2 Common Criteria
○Implement all P0 security controls from Architecture doc
○Hire or designate fractional CISO
○Complete all policy documentation and staff acknowledgements
Q4
Q4 2026 — Evidence Collection
Months 4–6 of the observation period
○All controls operational and generating audit evidence automatically
○First penetration test completed by independent firm
○Bug bounty programme live (see Doc 03)
○All critical and high findings from pentest remediated
○Select SOC 2 audit firm and begin pre-audit readiness review
Q1
Q1 2027 — Audit Preparation
Pre-audit readiness and final remediation
○Readiness assessment with audit firm completed
○All remaining control gaps closed
○Second penetration test completed
○6-month observation period complete
Q2
Q2 2027 — SOC 2 Type II Achieved
Audit, report, public disclosure
○Formal SOC 2 Type II audit completed
○Report issued by licensed CPA firm
○SOC 2 compliance published on trust.thegrid.io
○Annual re-certification programme established
Document 03 of 04 · Bug Bounty Programme · Public
Bug Bounty Programme
Responsible Disclosure Policy — HackerOne Programme Brief
○ Ready to Submit to HackerOne
1.0
Programme Overview
The Grid. believes that working with skilled security researchers is fundamental to protecting creators. We invite the security community to help us identify vulnerabilities before malicious actors do. This programme is our commitment to responsible disclosure and fair reward for the researchers who help keep The Grid. safe.
The programme launches privately (invited researchers only) in Q4 2026, expanding to public in Q1 2027 once the internal triage process is mature. All valid reports are acknowledged within 24 hours, triaged within 72 hours, and rewarded within 14 days of validation.
Our commitment to researchers: We will never pursue legal action against a researcher who discovers and reports a vulnerability in good faith in accordance with this policy. We follow a strict no-retaliation policy.
2.0
Reward Tiers
Critical
$10K
up to $15,000
—Remote code execution on production servers
—Unauthorised access to creator wallet balances
—Mass PRO data exfiltration (IPI/bank details)
—Authentication bypass allowing account takeover at scale
High
$3K
up to $5,000
—Single account takeover via authentication flaw
—Unauthorised access to another creator’s private data
—SQL injection with data access
—Privilege escalation to admin role
Medium
$500
up to $1,500
—Stored XSS affecting other users
—CSRF with significant impact
—Insecure direct object references
—Sensitive data exposure in API responses
Low
$100
up to $300
—Reflected XSS with limited impact
—Open redirect
—Missing security headers
—Self-XSS (documented for awareness)
3.0
Scope
● In Scope — Test these targets
*.thegrid.ioAll subdomains including API, app, studio, market
The Grid. iOS AppApp Store releases only
The Grid. Android AppGoogle Play releases only
Grid. DAW BridgemacOS and Windows desktop bridge application
api.thegrid.io/v1/*All public and authenticated API endpoints
✕ Out of Scope — Do not test these
Social engineering attacks against Grid. staff or creators
Physical attacks against Grid. infrastructure or offices
Denial of service attacks of any kind
Automated scanning without prior written approval
Accessing, modifying, or deleting creator data during testing
Third-party services integrated with Grid. (Spotify, Beatport, etc.)
4.0
Responsible Disclosure Rules
Rules of Engagement
- Use only test accounts you own or have explicit permission to use. Never access real creator data.
- Do not exploit a vulnerability beyond what is necessary to demonstrate its existence
- Do not access, download, modify, delete, or exfiltrate any creator data
- Do not disclose the vulnerability publicly until The Grid. has patched it and given you permission to disclose
- Report vulnerabilities through HackerOne only. Email reports will be redirected to HackerOne and may delay your reward.
- Include a clear proof-of-concept and reproduction steps. Reports without reproduction steps may be marked as ‘Not Applicable’.
- One report per vulnerability. Bundling multiple issues into one report reduces clarity and may delay payment.
Response SLAs: Initial acknowledgement within 24 hours — Triage and severity assessment within 72 hours — Fix timeline communicated within 7 days — Reward paid within 14 days of validation — CVE assigned for Critical and High findings.
Document 04 of 04 · Public Policy · For All Creators
Creator Trust & Safety
Our Commitment to Every Creator on The Grid.
● Final Draft — Ready for Legal Review
Our Promise to You
The Grid. exists to bring humanity together through creativity. That mission only works if every creator who joins us can trust that their work is protected, their earnings are secure, and their identity is safe. This document explains exactly what we do to honour that trust — and what you can hold us accountable to.
1.0
Your Earnings Are Protected
Wallet Security
- Your Grid. Wallet balance is held in a segregated account, separate from The Grid.’s operational funds. Your money is yours, always.
- If you change your payout bank account, a mandatory 48-hour security hold applies. You will receive verification requests to both your registered email and mobile number. No payout will be released to a new account without your explicit confirmation on both channels.
- Our support team cannot change your bank details on your behalf under any circumstances — this prevents social engineering attacks where someone impersonates you to redirect your earnings.
- Every payout is logged with a timestamp, amount, and destination. Your full payout history is always available in your dashboard.
- If we ever detect suspicious activity on your account, we will freeze it immediately and contact you directly before taking any other action.
Revenue Splits & Collab Earnings
- All revenue splits agreed via The Grid. Studio are enforced automatically by the platform — they cannot be altered after the work is published without consent from all parties.
- You receive a full breakdown of every earnings event: who paid, how much, on which platform, and what your split was after fees.
- Platform fees are always shown before you publish or list anything. There are no hidden fees, no surprise deductions, and no retroactive fee changes on existing listings.
2.0
Your Work Is Protected
Intellectual Property
- You own 100% of everything you create and publish on The Grid. We claim no licence to your work beyond what is necessary to display and distribute it on your behalf as per your settings.
- All downloadable work on The Grid. Market carries an invisible forensic watermark that identifies the buyer. If your work appears somewhere it shouldn’t, we can help you trace it.
- We have a dedicated DMCA response team. Copyright infringement reports are actioned within 24 hours. Repeat infringers are permanently removed from the platform.
- Your podcast recordings, music stems, and DAW project files are stored encrypted and are never accessed by Grid. staff except under your explicit instruction or to diagnose a technical problem you report.
3.0
Your Identity Is Protected
Personal Data & PRO Information
- Your PRO registration data — including IPI/CAE numbers, national identity documents, and bank details — is stored in an isolated encrypted database. It is never exposed via the Grid. API, never visible to other creators, and only accessed by authorised Grid. staff for the specific purpose of submitting your registration.
- We will never sell your personal data to any third party for advertising or marketing purposes. Ever.
- You can request a complete copy of all data we hold about you at any time. You can request deletion of your account and all associated data, subject to legal retention requirements (e.g. financial records we are legally required to keep for 7 years).
- We comply with GDPR (EU/UK), CCPA (California), POPIA (South Africa), PDPA (Japan/Thailand), and equivalent privacy frameworks in every territory where we operate.
4.0
What Happens If Something Goes Wrong
Our breach commitment: If we ever experience a security incident that affects your data or earnings, we will tell you directly within 72 hours — not via a generic platform announcement, but with a clear explanation of what happened, what data was involved, what we have done to fix it, and what you should do to protect yourself. We will never hide a breach.
Reporting a Security Concern
- If you believe your account has been compromised, contact us immediately at security@thegrid.io. We will respond within 2 hours for account security emergencies, 24 hours for all other security reports.
- If you discover a vulnerability in The Grid. platform, please report it through our Bug Bounty programme at hackerone.com/thegrid. We reward good-faith researchers and never pursue legal action for responsible disclosure.
- If you suspect someone is impersonating you on The Grid., report it via trust@thegrid.io. Impersonation reports are reviewed within 24 hours and actioned within 48 hours.
5.0
Security Checklist for Creators
We strongly recommend every creator on The Grid. completes the following steps to maximise account security:
Enable two-factor authentication using an authenticator app (Google Authenticator, Authy, or 1Password). Do not use SMS-based 2FA.
Critical
Use a unique, strong password for your Grid. account. Do not reuse passwords from other platforms. Use a password manager.
Critical
Verify your payout bank account is correct. Review it in Settings → Wallet → Payout Destinations. You will receive a security alert if anyone tries to change it.
Critical
Review your connected social platform permissions in Settings → Connected Accounts. Remove access for any platform you no longer use on The Grid.
High
Check your active sessions in Settings → Security → Active Devices. Log out any device you don’t recognise.
High
Enable login notifications. You will receive an email and push notification every time your account is accessed from a new device or location.
High
Keep the Grid. DAW Bridge updated to the latest version. Updates include security patches. Auto-update is enabled by default — do not disable it.
Medium
Be aware of phishing. The Grid. will never ask for your password via email, phone, or social media. All genuine Grid. emails come from @thegrid.io domains only.
Medium