Just a small comment on your site: it shows examples of legal processes, and HR records, including people's pay.
I understand this is just an example, but anyone who wants to actually use it for that is going to want a lot more marketing collateral up front explaining how this very sensitive data is going to be locked down.
Grist has access rules which give the document owners the ability to set rules that limit who can see or edit what, down to each table, column, or cell. Rules can be based on user attributes, including attributes defined by the document owner (e.g. roles within a company), and based on values in cells (e.g. if a row's boolean field is true or false).
Thanks - I'm sure those exist, but I just meant from a first impressions from your website perspective.
On the document thing - this is still a little tricky, as e.g. IT should probably be in charge of assigning permissions, but they shouldn't be able to see salaries.
Not access controls by the user team governing the team, access controls governing you. For instance, most companies that "take your security very seriously" but also provide support let themselves browse customer data.
Here's a strong form to help threat model: are you warrant-proof?
If authorities demand customer data, can you give it to them?
In general, if the answer is yes, then not just the government warrants but your own insider threat is also a threat to your customers.
But as most companies will be putting data in a spreadsheet that has laws around it whether they consider themselves "regulated" or not, all firms should be interested in the warrant-proof answer.
this is a strange comment on a link to a github repo with extensive documentation, including a dedicated guide on how to set up self hosting: https://support.getgrist.com/self-managed/
I understand this is just an example, but anyone who wants to actually use it for that is going to want a lot more marketing collateral up front explaining how this very sensitive data is going to be locked down.