How do we test the resilience of GRiT services? Penetration tests and customer data protection

What does cloud service security and customer data protection entail in the daily operation of digital systems | GRiT

Main photo for this article.

Digital services today ensure the operation of key company processes. The flow of data, documents and information between systems occurs automatically and in large volumes. But how does a company know that these services are truly secure and that sensitive internal data cannot escape? For companies such as Rohlík, Alza, 4HOME or Bosonožka, this question is crucial, and for this reason they chose GRiT as their partner.

At GRiT, we approach security as an area that is continuously managed, which is reflected in the design, development and operation of our services. One of the tools we use to regularly verify their resilience is penetration tests carried out by external specialists.

Lukáš Portl, Head of Development at GRiT , who has been in charge of development and security for a long time, talks about how testing is carried out and how we work with its results.

What are penetration tests and what are they for?

Penetration tests are essentially simulated attacks on a system ,” explains Lukáš Portl. “ They are carried out by a specialized external company or certified ethical hackers, whose goal is to penetrate the service in the same way that a real attacker would try to do it.

The purpose of testing is to uncover vulnerabilities before they can be exploited by an outsider . These include technical flaws in implementation, as well as errors in configuration, access settings, or application logic.

Safety as part of risk management

Penetration testing is not a one-time activity at GRiT. “Security has long been one of the highest priorities for the management of GRiT,” explains Portl. “ At the same time, it is a necessary part of the ISO/IEC 27001 certification , which we have held for more than 10 years and regularly renew. Without systematic testing, it would not be possible to meet this standard .”

Security in this sense means not only trying to eliminate risks, but also being able to identify, evaluate and manage them . Regular testing allows you to verify whether the measures taken correspond to current threats and whether the services will withstand non-standard situations.

This approach is also important from the perspective of customers, who increasingly need to prove that their supplier works with data systematically and in accordance with applicable legislation. Especially in the context of the new Cybersecurity Act , which transposes the requirements of the NIS2 Directive into the Czech legal framework, there is increasing emphasis on demonstrable security and risk management by digital service providers.

How penetration tests are carried out in GRiT and what risks are most often revealed during the tests

Penetration tests at GRiT are conducted annually and concern all key services that customers use – ORiON (electronic data interchange EDI) , LOKiA WMS (warehouse system) and iNVOiCE FLOW (document automation system) .

Testing is non-destructive and takes place off-peak, typically in the evenings or on weekends. There are no DDoS attacks and no interference with customer data.

" If a weakness is encountered during testing where further action could jeopardize the stability of the service or data, that part is stopped ," Portl emphasizes. " We primarily focus on vulnerabilities defined in the OWASP Top 10. These include authentication errors, SQL injection or XSS attacks, incorrect permission settings or data access ," he explains.

In addition to technical vulnerabilities in GRiT, penetration tests often help to uncover errors in application logic. Typically, this can be situations where a user can perform an operation that they should not have access to at all, based on their role or permissions.

From findings to correction

The output of penetration tests is a detailed report in which the identified risks are divided by severity. Each finding is internally evaluated and reflected in specific steps - either in the form of immediate correction or as part of planned adjustments in development.

Testing gives us feedback that we use to improve security over the long term, whether in code, architecture, or processes ,” concludes Portl.

This year, penetration tests were conducted in February 2026 and the systems ran stably and without downtime. The testing identified several vulnerabilities, the occurrence of which is common in this type of verification. The findings are gradually being addressed as part of the follow-up corrective measures, which are reflected in further adjustments to the development and operation of services.

Cloud, continuity and preparedness for crisis scenarios

GRiT operates its services on Amazon Web Services (AWS) and Microsoft Azure , platforms that meet strict international standards including ISO/IEC 27002 , PCI-DSS and other security frameworks, ensuring that customer data is protected from risks associated with illegal activity, physical access and natural threats.

The service design includes geographically redundant backup and high availability even in the event of a regional data storage outage. All components are continuously monitored using PRTG monitoring , which is independent of the cloud platforms themselves.

Security is closely linked to operational continuity and preparedness for crisis situations. The availability of our services is a key indicator of reliability for us, and we have maintained it at 99.8% for a long time. Thanks to stable operation and an emphasis on prevention, we rarely experience major outages. GRiT has developed and regularly tested procedures for service recovery and incident management. These scenarios are verified annually - from the availability of backups to technical recovery and cooperation with suppliers. Service recovery is set to be possible within 14 hours of the moment of detection of an outage.

Safety as a long-term commitment

Security at GRiT is based on system, verification, people and preparedness. We are not saying that risks do not exist – we are saying that we can name them, manage them and continuously reduce them. And most importantly, that we do it in the long term, in a clear way and with respect for what is most important: the trust of our clients.

Are you dealing with invoice approval?

30 minutes, no obligation. We will show you how iNVOiCE FLOW fits into your ERP.

You might also like

Mandatory e-invoicing in Slovakia from January 1, 2027: what is a digital postman?

How will receiving and sending e-invoices work in Slovakia? Learn about the role of the digital postman | GRiT

Why doesn't headquarters see costs on time? Late invoices from branches distort closings and decision-making

Invoices from branches can distort costs and cash flow planning. Find out how to unify their circulation | GRiT

Is your retail business growing? Then you may also have a growing problem that you don't see yet.

EDI creates a unified communication infrastructure for suppliers. Gain control over data and grow your business | GRiT