ACL GRC: IT & Cloud Security FAQs

Advantages of Adopting the Cloud

ACL GRC is designed to take advantage of the efficiency and accessibility of a cloud based, software-as-a-service (SaaS) delivery model. Our SaaS solution provides organizations with independence and agility along with a low and predictable total cost of ownership (TCO).

For more detailed information, please visit

This model allows a number of benefits:

Deployment decreases from months to days.

ACL™ GRC is designed with the philosophy of “convention over customization,” enabling our customers to immediately leverage configurable “out of the box” functionality vs. relying on heavy customization, complexity, and the overhead costs it brings. Time to value with a SaaS delivery model is significantly lower than with on-premise solutions. This means that implementation times are typically measured in days vs. weeks or months for other solutions.

Powerful and continuously improving functionality.

ACL GRC is enhanced with robust, best practices functionality, and product improvements are delivered on a continuous delivery basis so you don’t need to wait for long release cycles or internal IT resources to use the latest product version. This ensures that the user interface and product features remain modern and up-to-date with business demands.

Low TCO and predictable costs.

The SaaS delivery model takes away large upfront capital or implementation costs, making the ongoing costs much lower and more predictable than legacy on-premise alternatives.

No dependence on IT resources and in-house IT service costs.

ACL GRC does not require new hardware, software, or IT support for initial implementation or ongoing maintenance. Our customers can self-manage and focus on using the application for their business function, leaving the complexities of administrative management, application operation, and maintenance of the infrastructure to our global operations team.

Beautiful and easy-to-use interface.

ACL GRC was designed with usability as our number one priority. Its elegant, interactive, web-based interface means that organizations can start using it quickly.

Integrated risk and control analytics and monitoring.

ACL GRC integrates seamlessly with ACL on-premise desktop (ACL™ Analytics) and server-based risk and control analytics and monitoring (ACL™ Analytics Exchange) solutions, providing an end-to-end GRC technology solution for audit, compliance, finance, IT, and risk management from a single vendor.

Accessible anywhere and from any device.

ACL GRC is easily and immediately accessible to employees spread across multiple locations worldwide from their PC, smartphone, or tablet. ACL GRC mobile application offers support for both iOS and Android. The new Project Manager client has offline capability that allows you to continue to work while disconnected from ACL GRC.


We take security seriously here at ACL. Every organization, person and team using our service expects their data to be secure and confidential. We have built our global business on the trust our customers place in our ability to safeguard their data. Maintaining that trust is our top priority.

What type of security and controls are in place for data centers and sub service organizations that ACL utilizes?

ACL uses industry advanced and mature infrastructure-as-a-service (IaaS) providers to host our SaaS offering from four data center locations globally (United States, Canada, Europe, and Asia). The data centers provide many physical and logical security controls and are compliant with various certifications and third-party attestations, including but not limited to: ISO 27001, PCI DSS Level 1, SSAE-16/ISAE 3402 SOC 1 (previously SAS 70 Type II), SOC 2 & 3, and HIPAA. Below are examples of these controls:

  • User Access
  • Logical Security
  • Data Handling
  • Physical Security
  • Change Management
  • Data Integrity, Availability, and Redundancy
  • Incident Handling

These controls ensure facility and equipment safeguards for areas such as multi-factor access controls, electronic surveillance, intrusion detection systems and environmental safeguards. ACL reviews the certifications and third-party attestations provided by our sub service providers on an on-going basis to attest the services being provided and supplement complementary elements to ACL controls.

Is an SSAE 16 (SOC) audit report available for ACL GRC?

Yes, ACL has a current SSAE 16 (Service Organization Control) report prepared by a third-party auditor. This report is a comprehensive assessment of the internal controls and information security related to the ACL GRC service. Upon request and subject to customer’s execution of ACL standard non-disclosure agreement (NDA), ACL will provide a copy of its current SSAE 16 report.

Do you conduct vulnerability assessments and penetration tests?

In addition to internal security testing, ACL uses third-party independent penetration testing to check ACL GRC for security vulnerabilities. These tests are performed twice per year by an organization specializing in software security, and are used to probe the ACL GRC environment for vulnerabilities, such as cross-site scripting, SQL Injection, session & cookie management, to name a few. ACL ensures exploitable vulnerabilities are resolved in a timely basis based on severity and impact. Subject to NDA, ACL can provide a copy of the most recent penetration test.

What type of security and controls does ACL have in place for ACL GRC?

The ACL GRC control environment is designed to provide confidentiality, availability, and integrity for our SaaS offering. Controls that are annually audited under SSAE-16 include:

  • Change Management
  • Logical Access
  • Data Security
  • Backup and Recovery
  • Problem Management

These controls and their supporting policies provide ACL and our customers with operational assurance.

All customer data is classified and treated as confidential by ACL.

ACL utilizes the “least privilege” principle, which means that account privileges are granted to the lowest level of the user’s essential work requirements, thus greatly minimizing access to the systems and data.

All access to ACL GRC is performed through secure encrypted channels using SSL (HTTPS). TLS1.0 is the minimum supported data transmission encryption protocol.

An independent security assessment provider scans ACL GRC systems and certifies its security on a daily basis.

Where will my data be stored?

ACL GRC is provided from five regions in the United States, Canada, Europe, Australia and Asia in order to provide our customers with options where their data is stored. These options enable our customers to comply with data privacy location requirements.

How do you protect Personally Identifiable Information (PII)?

PII is limited by our customer subscription agreements, sub service organization agreements, corresponding controls, and segregation built into our SaaS design. This ensures that any PII is isolated and protected in ACL GRC and each customer has access to its data only.

Who will have ownership of my data?

You will continue to retain all rights over your data and ACL will not use your data except for the purpose of providing the service you have subscribed to. See our Privacy Policy.

ACL is committed to delivering a world-class customer experience. Our SaaS solutions are designed using architectural best practices, such as request load balancing, fail safe system design, and job isolation. We actively monitor our solutions for availability and performance to a 99.9%+ average uptime.

All regional equipment is fully redundant and data is replicated or backed-up to alternate regional locations in case of failure. In addition to this real-time redundancy, ACL backs up all audit data, including field data and attached documents that are stored in your account within ACL GRC.

To check the real-time performance of ACL GRC, please visit and/or subscribe to updates.

ACL GRC is architected to scale exponentially with no impact to our customers and no need for customers’ IT intervention. This provides the flexibility to grow quickly with your business while maintaining high service levels and optimum response times as activity volume increases.