gridIQ runs on managed, encrypted infrastructure with security enforced at the database, application and network layers. This page sets out the practices in plain language, and is honest about what we do and do not claim.
gridIQ holds your sites, consumption data, contracts and emissions calculations. We treat that as sensitive. Security is built into the code rather than bolted on, and the controls below are the ones actually implemented in the platform today.
Access to your data is enforced at the database with row-level security, so one account can never read another account's sites, consumption or contracts. The privileged service role is server-side only and is never exposed to the browser.
Sign in with email and password, a magic link, or Google. Sessions are managed by Supabase Auth.
State-changing requests are checked against an allow-list of trusted origins and rejected otherwise, so another site cannot act on your behalf using your session.
Outbound alert webhooks are validated before every send: requests to private and reserved IP ranges are blocked, redirects are refused, and the hostname is re-resolved on each delivery to defend against DNS rebinding.
gridIQ never stores your card details; payments run through Stripe. Incoming billing webhooks are verified with an HMAC-SHA256 signature, a constant-time comparison and a replay window, so forged events are rejected.
Errors are captured on the server, in the browser and at the edge through Sentry, so problems surface to the team quickly rather than failing silently.
The newsletter sign-up is protected by Cloudflare Turnstile to keep automated abuse out.
Every scheduled data job validates a secret bearer token before it runs, and user-supplied content is sanitised before it is stored or rendered.
gridIQ runs on Vercel with a Supabase Postgres database. Both are managed platforms with data encrypted at rest and in transit. Market data is ingested directly from the primary publishers, AEMO, DCCEEW and the Clean Energy Regulator. gridIQ is an independent product of High Impact Group Pty Ltd and is not affiliated with AEMO, DCCEEW or the CER.
Your data is yours. You can export your account data at any time, and your sites, consumption and contracts are visible only to your account under the row-level security described above.
We hold no formal SOC 2 or ISO 27001 attestation, and we will not imply one. If your procurement process needs a specific assurance, contact us and we will tell you honestly where we are.
gridIQ provides market data and analytics, not regulated financial or legal advice. Scope 2 and compliance outputs are designed to support your reporting; verify them with a qualified professional before lodgement.
We are happy to walk your security or procurement team through how gridIQ handles your data.