← Back to Grantrol
Privacy PolicyTerms of Service

Security & Trust

Last reviewed: April 21, 2026

Grantrol holds grant records, compliance documents, donor contacts, and financial data for small non-profits. This page is how we show our work on keeping it safe.

Data isolation

Live

Every user-owned row is scoped by auth.uid(). Supabase row-level security enforces on every query. A cross-user read is not possible from the client.

Encrypted at rest + in transit

Live

All network traffic TLS 1.2+. Database encryption via Supabase managed storage. Uploaded files encrypted in Supabase Storage.

Service-role isolation

Live

API routes that use the elevated service role (for operations user-RLS can't serve) require explicit auth + owner-scoped filters on every query.

Security headers

Live

HSTS, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy. Source maps disabled in production.

Automated RLS + auth tests

In progress

Test suite under development. Covers: cross-user reads, service-role-route auth gates, role-based write permissions.

2-factor authentication (TOTP)

Planned

Scheduled for the pre-billing security pass. Supabase supports this natively; UI + enrollment flow needed.

SOC 2 Type I audit

Planned

Planning engagement with a third-party auditor once initial paying customers are onboarded. Type I focus: operating effectiveness of access controls.

Third-party security review

Ongoing

Welcomed at any time. Email security@grantrol.com (or support@grantrol.com) with findings — we respond within 72 hours.

AI quality signal (live)

Every Monday morning we run a regression-test prompt battery against Bogi and store the auto-graded results. This panel updates from the live database so you can see how Bogi is behaving over time.

AI benchmark cron has not produced results yet. After the first weekly run (Mondays 9:00 UTC), this section will show pass-rate trends across our prompt-injection defense, hallucination resistance, and scope discipline checks.

Who sees your data

Only you and the members of your organization who you've explicitly added. We do not share your records with other customers, data brokers, advertisers, or any external party except the sub-processors listed in the privacy policy, each of which sees only the data required to perform their specific role.

Inside Grantrol, members of an organization see data scoped to their role (Owner, Admin, Member, Viewer, Accountant). Ownership transfers require explicit owner approval. Viewers cannot edit; Accountants see financial + grant data only.

Incident transparency

Security incidents are logged to our public repository's SESSION_LOG.md with root-cause analysis, remediation steps, and lessons learned. We treat transparency as a feature, not a liability.

If an incident affects your data specifically, we will notify the account owner via email within 72 hours of identification, with a clear description of (a) what happened, (b) what data was involved, (c) what we did, and (d) what you should do.

Responsible disclosure

Found a vulnerability? Email security@grantrol.com (or support@grantrol.com) with:

  • A description of the issue
  • Steps to reproduce (including any relevant URLs, payloads, or screenshots)
  • Your assessment of the impact

We will acknowledge within 72 hours and keep you updated until resolution. We do not currently run a paid bug bounty but publicly credit researchers in our release notes (with your permission).

Please do not: access or modify data that is not yours, run denial-of-service attacks, or publicly disclose findings before coordinated resolution.

Data retention + deletion

You can delete your account and all associated data at any time from Settings → Danger Zone → Delete Account. The request is immediate for your active records; encrypted backups rotate out within 30 days.

Full retention details in the Privacy Policy §7.

Infrastructure

  • Database + auth + storage: Supabase (managed PostgreSQL, US region)
  • Application runtime: Vercel (serverless edge, US region)
  • AI processing: xAI (default Grok) or Anthropic (Claude, via toggle)
  • Transcription (Field Capture): OpenAI gpt-4o-mini-transcribe
  • Email: Resend (transactional only; no marketing)
  • Monitoring: Vercel Analytics + Supabase logs

Enterprise questions

Need a DPA, security questionnaire, SOC 2 report, or HIPAA evaluation? Email support@grantrol.com. We can provide a current security questionnaire response and a timeline for any compliance items not yet live.

Contact

security@grantrol.com for security reports.
support@grantrol.com for everything else.