Skip to main content
Common questions we receive from IT departments during vendor assessments and security reviews.

Data and privacy

No. Grunt cannot access any information contained in your Excel or PowerPoint files. We do not store any information other than the items listed in our data policy, which are necessary for account creation, login, and tracking error metrics needed to provide support.
Yes. We process name and email addresses in order to grant licenses to users of our software. These licenses are linked to an email address. In addition, we register telephone numbers for a small number of contact persons, for example for inquiries related to technical questions, invoices, or user administration.
No. All data centers for our subprocessors are located in the EU/EEA. Specifically, data is retained and processed in Northern Europe on servers controlled by Microsoft Azure.
Data is retained for as long as the subscription is valid, and for a period after to allow for resubscription or other inquiries (normally 1 year). Data may be stored longer if required to comply with applicable laws or regulatory requirements.
Grunt is a SaaS offering, but it is primarily an on-premise installation running locally on the user’s computer. We have a cloud infrastructure that is primarily used to validate user licenses and for certain optional add-on functionalities.
The data centers used are Microsoft Azure, which are designed to meet or exceed Tier III standards and, in some cases, align with Tier IV standards for regions with Availability Zones.
The cloud infrastructure is shared with other customers but does not store any customer proprietary data except data used to validate software licenses.

Security

Our CTO is responsible for information security in the company.
Yes. We have established a management system for information security based on the requirements of the ISO 27001 standard. This includes policies, risk management, security controls, role and responsibility distribution, training, incident management, monitoring, and documentation.
Yes. Our application is built for customers with high security requirements, working with sensitive information related to banking, finance, and M&A. We work continuously with risk assessment through both internal and external evaluations.
Yes. Security assessments are an important part of our development criteria. If potential challenges are reported internally or externally, a team is appointed to analyze the situation, draw up a mitigation plan, and implement a solution. This work is prioritized over other development to ensure the shortest possible response time.
Yes. We have clearly defined routines for handling information security in project work, along with routine evaluation of our systems including periodic external evaluation when necessary.
Yes.
Our security policies are reviewed twice a year, or following any material change to our business.
We use AES-256 encryption for securing data at rest and in transit. Data in transit is encrypted using TLS 1.2/1.3. Encryption keys are securely managed using Azure Key Vault, and key lengths comply with minimum cipher strength requirements.
Our network defenses include firewalls, anti-malware solutions, application whitelisting, intrusion prevention systems (IPS), and two-factor authentication for secure access. Our cloud infrastructure (Microsoft Azure) provides built-in DDoS protection as part of its security services.
Yes. We conduct regular external penetration tests. Identified vulnerabilities are tracked and remediated through our standard vulnerability management process.
We have automatic scans checking for issues with the code or dependencies as part of our development process. We have also verified with external independent technical auditors that there are no obvious issues with data communication.
Yes. We handle security incidents through established routines for reporting and follow-up. Customers who are affected by security incidents are followed up in accordance with our guidelines for incident reporting. If a breach requires notification to the Norwegian Data Protection Authority, they will also be notified.
Yes. Notification routines and deadlines are normally agreed through data processing agreements and/or in an appendix to the customer agreement.
Yes. The customer can access security logs provided this does not compromise other customers or create a security risk for our systems. In such cases, we will work with the customer on a cost/benefit assessment and clean system logs of sensitive information.
Yes. See our SSO documentation for details.
We sign all software with an EV certificate, so Defender exclusions are generally not needed. That said, we recommend adding a Defender exception for our auto-update mechanism to ensure it runs smoothly. See network and security for details.

Employee policies

We carry out assessments of candidates’ suitability to comply with our security requirements. Employment contracts define confidentiality clauses and guidelines, and security training is an important part of onboarding for employees with system access. When a person leaves, all access to systems is withdrawn before the person departs.
Yes. A security training and awareness program is in place for all employees, including new hires, permanent, temporary, and contract staff. New hires undergo training during onboarding, and all employees receive yearly updates to stay informed about security best practices and policies.

Access control

We have established routines for access control to systems and data. We operate according to the principle of least privilege, where employees are only granted rights required for their current role. Access rights are revised annually and continuously adjusted as needed.
Work with data and systems is not based on local settings or physical machines. Access to mobile devices does not give third parties access to our systems.
Yes. This information is logged.
Employees do not have access to customer systems. To the extent that employees have access to customer information, this is access controlled and documented.
Yes. This can be delivered on request.

Operations

Yes. Our operating model documents how system development is carried out and which guidelines exist.
Yes. Change management follows our standard development process and operating model.
Yes. We have templates and processes for reporting event logs to our customers.
Yes. We have several layers of backup of both system code and other necessary information, such as license information needed for user access.
Yes. System code is restored from backup daily as part of our development model. Other information is tested periodically.
Yes. We have built-in logging and monitoring of our systems. These logs can be configured by the customer’s IT department.
Information is always encrypted in transit through industry standards (SSL/TLS) for data transfer between systems and in communication with customers and subcontractors. Encryption at rest is implemented where critical to protect sensitive information.
Yes. We have documented continuity plans that ensure our services can be maintained or quickly restored in the event of unforeseen events. These plans include procedures for disaster recovery, resource allocation, and communication with affected parties.
The plans are reviewed and revised annually.
Yes. We follow best practices for secure software development. The development model is documented in our system development process.
Yes. We have thorough reviews with our suppliers when entering into new agreements. For the most important subcontractors we have regular contact and follow-up, with a minimum of annual contact with all suppliers.
Yes. We continuously incorporate customer requirements in our dialogue with suppliers and annually revise contracts based on any need for changes.
Yes. The service requires API calls for functions such as license validation. All API calls are authenticated and encrypted.
Yes. Role-based access is supported for managing users and licenses.
Our APIs are REST based.
Yes. We use SonarCloud as our SAST tool and rely on multiple Roslyn Analyzers to continuously automate code analysis during development.

Physical security and continuity

The company is fully equipped to operate independently of our offices and can move operations to other suitable premises, with home office as an immediate temporary solution.
Yes. The company does not use physical storage media on its own premises. We have routines for deleting data from servers operated by subcontractors.

License management

You can appoint one or more license managers who handle licenses online. Licenses are assigned to users and can be used on several machines as long as it is the same user. You can add, remove, or re-allocate licenses at any time and the update takes place immediately.Licenses are linked to user email addresses. Users log in with their email address in Grunt within PowerPoint, and validation is done against our license server. The license is validated regularly but is not required at each startup, so users can work offline (for example on flights or short travel).If you use proxy servers that filter web traffic, our license server must be whitelisted so licenses can be validated. See network and security for the required endpoints.
Yes. We support centralized distribution, used today at banks and other organizations with high security requirements.Managed deployment:
  • MSI file is distributed to your IT team
  • Installation can be automated using common tools and configured with command line arguments
  • Grunt is installed to Program Files
  • Updates are distributed to your IT team according to your agreement (typically monthly or every other month)
  • Users can see that new versions are available but cannot upgrade themselves
Standard deployment (used by most customers):
  • Installation from MSI file (from IT or by the user manually)
  • Grunt is installed without administrative rights to the user’s AppData folder
  • New updates are made available online and the user is offered to update the next time they open PowerPoint
  • The upgrade completes within 15 seconds
  • New versions are normally available once a month
See deployment and installation and update management for full details.

Terminology

A tenant is your organization’s Grunt account — the top-level entity where users and licenses are managed. When IT asks about “setting up a tenant,” this means creating an organizational account, signing a contract, and getting a login where license managers can add users.
The Content Library is the top-level feature that provides access to both the Grunt Library (built-in templates and assets) and Content Distribution (your organization’s shared templates, logos, and images). In the Grunt ribbon, this appears as Library.

System requirements

32-bit support is being phased out. The 32-bit installer has been removed from the main download page. Organizations still requiring a 32-bit build for exceptional cases can contact support for a direct download link to the current stable 32-bit release. Once the migration to .NET 9 is complete, 32-bit support will be fully discontinued.
Grunt does use additional memory while running as a COM add-in. The increase is modest under normal use. If you observe significant RAM increases (e.g., PowerPoint memory doubling or more), this may indicate an issue — contact support with your Grunt version, number of objects in the presentation, and system specifications.

Certifications and compliance

We are currently in the process of obtaining ISO certification. In the meantime, we comply with many of the requirements in the standard and work according to process descriptions prepared based on these standards.
We follow the regulations applicable to the business based on the geographical areas we operate in. As a Norwegian company, we comply with Norwegian laws and norms for good business practice.
Yes. We have routines for notification of deviations to the Norwegian Data Protection Authority in accordance with applicable regulations.
Yes. We give clients the opportunity to carry out independent audits of our information security and assist with external audits as required. The frequency and scope of audits is assessed on a business basis.