top of page



GridMarkets executes tasks via our partner network of secured cloud providers (e.g. Oracle) - our “suppliers”.  Platform security is generally aligned along MPAA security guidelines and specifically focuses on: network access, machine security, authentication and authorization, logging and monitoring, content management and content transfer.  Each of these areas is broken down below.

Interested in a deep dive?  Use the button below to schedule a call.



Network Security

  • No direct outside connection to any of the VMs is permitted which greatly reduces the surface vector for any possible attack, simply by not exposing the compute nodes to the Internet.

  • Network connections to/from VMs are controlled through a local NAT on every cluster.

  • All traffic is strictly switched and confined to a designated cluster VLAN; no hubs or repeaters are used.

  • Wireless communication is not used to transfer data within the GridMarkets infrastructure.

  • All data transfers and API calls are via secure HTTPS connections (orange arrows).


Machine Security

  • Input/Output devices on all VMs are disabled (e.g. to prevent any unauthorized USB devices).

  • A VM instance is used only for one job & its files and is then destroyed, preventing any possibility of data being obtained by subsequent jobs by other users.

  • All jobs run with normal user permissions with no access to administrative functions on the machine.

  • Processing units are encapsulated in secure Docker containers within VMs to minimize security risks.


Authentication and Authorization

  • GridMarkets has no direct access to clients’ environments through the applications and plugins it provides.  These installed components only access information on GridMarkets’ systems via secure HTTPS connections - e.g. for file listings or to transfer files.

  • All access to GridMarkets’ servers is only via private keys with two-factor authentication that are not made available to anyone outside of GridMarkets.

  • Authentication is over HTTPS to both the GridMarkets “Head-end” API ( and Job Manager Portal (


Logging and Monitoring

  • Unexpected behavior can result in the shut-down of errant or all processes if deemed necessary.

  • Suppliers of server capacity can only non-intrusively monitor behavior outside the VM - i.e. only analyze resource utilization and not its purpose.



Content Management and Transfer

  • All data transfers are via GridMarkets’ purpose-built “Envoy” tool that uses industry-standard HTTPS for all transfers to & from Google’s Cloud Storage where the data resides in individual account buckets and is authenticated using Google Service Accounts.  Please see for more information on Google Cloud’s security.  The client only needs access to this “Long-term Storage”; client firewalls only need to permit access to Google’s domain via wildcard addressing.

  • All content on suppliers’ servers is encrypted on disc with GridMarkets’ private keys (“Long Term Storage” & “Filer” above); user-specific private keys can be optionally used.

  • Only the specific project (not even account) directory is NFS-mounted by the VMs, preventing access to any other location on the Filer.

  • Content stored on suppliers’ servers is purged after a defined period of no access, or can be optionally deleted after transmission.

  • Purpose-built, secured and dedicated VMs manage the transfer of content.

bottom of page