Security & Privacy
Your data is protected.
Full stop.
GrantComply was built for government โ which means security and data isolation aren't afterthoughts. Here's exactly how we protect your jurisdiction's information.
๐
Complete data isolation
Your jurisdiction's data is never visible to any other organization โ ever.
๐ฆ
Bank-grade encryption
AES-256 encryption at rest. TLS 1.3 in transit. Industry-standard protection.
โ๏ธ
SOC 2 infrastructure
Hosted on AWS via Supabase โ SOC 2 Type 2 certified cloud infrastructure.
โ
Verified access
Government email domains auto-verified. All other accounts manually reviewed.
Data isolation โ how it works
Every jurisdiction in GrantComply operates in a completely isolated data environment enforced at the database level using Row Level Security (RLS) โ the same technology used by financial institutions to separate customer accounts. This means:
- County A can never see County B's data โ not grants, not projects, not documents, not anything
- Even GrantComply staff cannot access your data without explicit audit logging
- Data isolation is enforced by the database itself โ not just application logic
- There is no configuration error or bug that could expose your data to another jurisdiction
๐ก Think of it like separate safe deposit boxes at a bank. The bank operates the vault, but only you hold the key to your box. We operate the platform, but only your jurisdiction can access your data.
Infrastructure & hosting
GrantComply runs on enterprise-grade cloud infrastructure trusted by thousands of organizations worldwide:
- Database: Supabase (PostgreSQL) hosted on AWS us-east-1 โ SOC 2 Type 2 certified
- Application: Vercel โ enterprise-grade edge network with automatic DDoS protection
- Storage: Supabase Storage โ encrypted document storage with signed URLs for secure file access
- Analytics: PostHog โ anonymous product analytics and session replay. No PII collected. Data hosted in the US.
- Encryption at rest: AES-256 across all stored data
- Encryption in transit: TLS 1.3 for all data moving between your browser and our servers
Identity verification & access control
We take who gets access to your jurisdiction's workspace seriously:
- Government email verification: Users signing up with a verified .gov email address are automatically approved and gain immediate access
- Manual review for all others: Any signup using a non-government email is held for manual review. Our team verifies the individual against publicly available county and city websites before granting access
- Jurisdiction admin controls: Each jurisdiction has an admin who can manage team members and control who has access to their workspace
- Session security: All sessions are managed via industry-standard JWT tokens with automatic expiration
AI & your data
GrantComply uses OpenAI's API to power grant matching, document analysis, and compliance guidance. Here's what you need to know:
- Your data does not train AI models: Per OpenAI's enterprise API terms, data sent via the API is never used to train or improve their models
- No data sharing between jurisdictions: AI responses are generated fresh for each request โ no jurisdiction's data informs another's AI outputs
- Transparent AI logging: Every AI call is logged internally with the feature used, model, and estimated tokens โ visible to your account admin
- AI outputs are guidance only: GrantComply AI does not constitute legal or financial advice. All outputs should be reviewed by qualified staff before submission
Data retention & portability
- Your data is yours: All grants, projects, documents, and compliance data can be exported at any time from your account
- Cancellation: Upon cancellation, your data is retained for 90 days to allow for export, then permanently deleted from all systems
- No lock-in: We don't hold your data hostage. You can leave anytime and take everything with you
Frequently asked questions
Who can see our jurisdiction's data?
Only users you authorize within your jurisdiction's workspace. No other jurisdiction, no third party, and no GrantComply staff can access your data without explicit audit logging and your consent.
Is GrantComply HIPAA compliant?
Grant management data does not fall under HIPAA. GrantComply does not process protected health information (PHI). Our infrastructure is SOC 2 Type 2 certified through Supabase/AWS.
Do you sell our data?
Never. Your jurisdiction's data is never sold, shared, or disclosed to any third party. Period. We make money from subscriptions โ not from your data.
What happens if there is a data breach?
We would notify all affected jurisdictions within 72 hours of discovery, consistent with standard breach notification requirements. We maintain incident response procedures and conduct regular security reviews.
Where is our data physically stored?
All data is stored in AWS us-east-1 (Northern Virginia) data centers โ the same region used by numerous federal agencies and financial institutions. Data does not leave the United States.
Can we get a Business Associate Agreement (BAA)?
GrantComply does not process HIPAA-covered data, so a BAA is not applicable. For Enterprise customers requiring custom data processing agreements, please contact us at security@grantcomply.app.
How do you handle public records requests?
GrantComply is a software tool โ your jurisdiction controls and owns all data entered into the platform. Any public records requests related to grant management activities should be directed to your jurisdiction's records officer, not to GrantComply.
Do you conduct security audits?
We conduct regular internal security reviews and rely on our infrastructure providers' (Supabase, AWS, Vercel) independent SOC 2 audits. Enterprise customers may request our security documentation upon signing an NDA.