Greetly security

Built on trust, designed for peace of mind

Your visitor management system handles sensitive data — from guest identities to employee directories. That’s why Greetly is built with enterprise-grade security practices to protect your people and your information.

hero-trust-center
data-protection

Data protection you can count on

Encryption in transit and at rest

All visitor data is encrypted end-to-end using industry best practices.

Role-based access controls

Global Admin, Location Admin, Security, and Employee roles ensure the right level of access for the right people.

Single Sign-On (SSO)

Support for SAML 2.0 providers like Okta and Azure AD ensures secure and seamless authentication.

Directory sync

Automated sync with Azure AD, Google Workspace, and Active Directory reduces risk of outdated records.

Privacy and compliance

GDPR compliant

Greetly is fully GDPR-compliant, giving EU customers confidence in data handling.

Data retention controls

Clients can configure Visitor Log deletion policies or request data purges at any time.

Hosting in the EU and North America

Choose where your data resides, with options that align to your organization’s regional requirements.

privacy-compliance

Transparency for IT leaders

We know security is a top priority for IT and compliance teams. For detailed documentation, including penetration testing, security reports and policies, please visit our Trust Site for all OfficeSpace companies, including Greetly by OfficeSpace.

For any questions, please contact [email protected].

FAQ

PII and privacy in Greetly

Need to know more about Greetly’s security? Browse our trust center FAQs:

What data does Greetly collect?

Depending on your configuration which is customizable, you may use Greetly to collect:

  • Visitor and employee names, email addresses, phone numbers, and company details
  • Photos (captured at check-in)
  • Digital signatures on NDAs, waivers, or acknowledgements
  • Configurable ID scanning, including photos
  • Custom fields such as department, citizenship, or clearance level

Where is the data stored?

All PII is securely stored in Greetly’s cloud environment, with hosting options in both the EU and North America to meet regional compliance requirements.

How is visitor data protected?

All data in Greetly is encrypted in transit and at rest, ensuring that sensitive visitor and employee information is protected end-to-end. Greetly also protects visitor PII data with: 

  • Role-based access controls: Only authorized admins can view or export data
  • Audit logs: All check-ins, check-outs, and changes are logged for accountability

 

How long is Greetly visitor data kept?

Admins can configure data retention policies to automatically delete Visitor Log entries after a set period, or request manual purges at any time.

Does Greetly support Single Sign-On (SSO)?

Yes. Greetly supports SAML 2.0-based SSO with providers such as Okta and Azure AD, allowing secure authentication for employees and admins.

Does Greetly support automated user provisioning (SCIM)?

No. User provisioning is not SCIM-based today. Users can be added manually, uploaded via CSV, or synced via directory integrations such as Azure AD, Active Directory, or Google Workspace.

Can customers choose data residency (EU vs. North America hosting)?

Yes. Greetly offers hosting options in both the European Union and North America, enabling organizations to select where their visitor data is stored to meet regional compliance requirements.

Is Greetly GDPR compliant?

Yes. Greetly is fully GDPR compliant, including configurable data retention, consent messaging, and visitor log deletion to align with EU privacy regulations.

Is Greetly CCPA compliant?

Yes. Greetly aligns with the California Consumer Privacy Act (CCPA) by providing transparency in what data is collected and allowing admins to configure deletion of visitor records or request purges on demand.

How long does Greetly retain PII data?

Retention is fully configurable by admins. You can set Visitor Log deletion policies to automatically remove records after a defined period, or manually purge data at any time.

Does Greetly provide audit logs?

Yes. All visitor check-ins, check-outs, and admin changes are logged for visibility and compliance reviews. These logs can be exported for audits or investigations, and logs can be automatically distributed via email to admins and other stakeholders for on-site visibility. 

What certifications does Greetly hold?

Greetly does not currently publish SOC 2 or ISO 27001 certifications. However, as part of the OfficeSpace family, Greetly follows enterprise-grade security practices and benefits from the same security posture. For detailed documentation and certifications, IT leaders should visit our OfficeSpace Trust Center. 

Is penetration testing performed regularly?

Yes. Regular penetration testing is conducted as part of Greetly’s security program, aligned with OfficeSpace standards.

How are APIs secured (tokens, OAuth, OpenAPI standards)?

Greetly APIs are secured via API keys. The platform also supports OpenAPI 3.1, though custom API integrations beyond Zapier are limited.

Are webhooks supported, and how are they authenticated?

Yes. Greetly supports check-in webhooks that send structured visitor data to external systems via HTTPS POST requests. Webhooks must be explicitly enabled per location.

What protections exist against common vulnerabilities (e.g., OWASP Top 10)?

Greetly applies standard application security practices, including input validation, data encryption, and hardened authentication. For specifics, refer to penetration test results available on the Trust Site.

Does the app run in a hardened cloud environment (AWS, Azure, GCP)?

Yes. Greetly runs in a secure, cloud-hosted environment with hardened infrastructure. Hosting is available in both EU and North America regions.

Does the system support watchlists/blacklists for unwanted visitors?

Yes. Greetly provides both watchlist and blacklist functionality. Watchlisted visitors trigger alerts; blacklisted visitors are prevented from check-in.

Can visitors be screened against internal or external security lists?

Greetly supports internal watchlists/blacklists only. It does not support real-time screening against external databases.

How does badge printing and ID scanning handle PII securely?

Badge printing is limited to essential check-in details. ID scanning is supported for U.S. driver’s licenses only, and only the data fields (not images) are captured and stored securely.

Can visitor agreements (NDAs, safety waivers) be stored securely and exported?

Yes. NDAs and other agreements can be signed digitally during check-in and exported in PDF format from the Visitor Log.

Are emergency evacuation workflows secure and logged?

Yes. Evacuation alerts are sent by SMS and email to employees and visitors. Responses (“I am safe”) are logged and visible to admins for accountability.

Is uptime guaranteed (SLA)?

Greetly operates with high uptime as part of OfficeSpace’s cloud environment. For enterprise clients, uptime commitments can be reviewed with Customer Success.

What is the disaster recovery and business continuity plan?

As part of the OfficeSpace family, Greetly follows established business continuity and disaster recovery processes, ensuring resilience and quick recovery in the event of an outage.

Is customer support available 24/7 for critical security issues?

Yes. Greetly customer support is available 24/7 via email and phone. Critical escalations are routed through OfficeSpace’s support and security teams.

How are vulnerabilities disclosed and patched (responsible disclosure policy)?

Vulnerabilities are managed via OfficeSpace’s security team. Disclosures can be submitted through [email protected] and patches are prioritized based on severity.