Security & trust at GrantPilot
This page documents how we protect the data nonprofits and grant-seeking teams entrust to us. It is maintained as a living record — the claims below map to specific controls in our codebase and infrastructure. If you need something we don't cover, email security@grantpilot.dev.
Last reviewed: April 16, 2026
Security controls
Encryption in transit
All traffic served over TLS 1.2+. HSTS enabled. Internal service-to-service calls use authenticated HTTPS.
Encryption at rest
Database volumes encrypted via provider-managed keys. Sensitive PII fields on student profiles are additionally encrypted application-side with AES-256-GCM before write.
Audit logging
Authentication events, account deletions, data exports, billing lifecycle, and org membership changes are recorded to an append-only audit log. Customers can review their own trail from the dashboard. Log rows survive user deletion via ON DELETE SET NULL so forensic review isn't foiled by account closure.
Access control
Row-level authorization on every API route: resources are fetched with an ownership check against the session's user ID before mutation. Admin access to production is limited to named engineers and requires MFA.
Infrastructure hardening
SSRF-resistant URL fetching (private CIDR blocklist), CSRF origin validation on state-changing requests, Stripe webhook signature verification, and cron endpoints authenticated via shared secret.
Incident response
Security incidents are triaged within 24 hours of detection. Material incidents affecting customer data are disclosed to affected customers within 72 hours, consistent with GDPR Article 33.
Subprocessors
GrantPilot uses the following third-party subprocessors to deliver our service. Each has its own Data Processing Agreement (DPA); links below. We notify customers of material changes to this list at least 30 days before a new subprocessor begins processing personal data.
| Subprocessor | Purpose | DPA |
|---|---|---|
| Anthropic (Claude API) | AI generation of grant applications and content optimization | View |
| Supabase | Primary Postgres database (application records, users, documents) | View |
| Vercel | Application hosting, edge compute, CDN | View |
| Stripe | Subscription billing, payment processing, invoicing | View |
| Upstash | Redis-backed rate limiting and application cache | View |
| Resend | Transactional email (alerts, digests, password reset) | View |
Compliance posture
We distinguish live commitments from work in progress. A status of "Supported" means a customer can exercise the right today through our product or a documented request process.
- GDPR — Article 15 (access)Supported
- GDPR — Article 17 (erasure)Supported
- GDPR — Article 20 (portability)Supported
- GDPR — Article 33 (breach notification)Policy in place
- SOC 2 Type IIn progress (target 2026 H2)
- SOC 2 Type IIPlanned (2027)
- CCPA — data subject requestsSupported
- HIPAA Business Associate AgreementNot offered
Your data rights
Every GrantPilot user can exercise the following rights self-service from their account settings, no support ticket required:
- Export — download a JSON archive of your account, organization, applications, documents, and content library.
- Delete — permanently delete your account and associated data (excluding audit log rows retained for legal compliance).
- Correct — edit any profile or application record directly in the app.
- Object / restrict — email privacy@grantpilot.dev to restrict specific processing activities.
Report a security issue
We appreciate responsible disclosure. Email security@grantpilot.dev with reproduction steps and any supporting evidence. We acknowledge reports within two business days and will coordinate disclosure timelines with you.
For customer-specific processing questions, see our Data Processing Agreement.