← Back to home

Security

Last updated May 27, 2026

Nonprofits trust us with grant pipelines, budgets, receipts, and donor-adjacent data. This page summarizes how 4granted protects that information.

Encryption

  • In transit: TLS 1.2+ for all traffic between users, our edge, and our backend.
  • At rest: AES-256 encryption for the database and uploaded documents.
  • Secrets: API keys and integration tokens stored in an encrypted secret manager, never in source control.

Access controls

  • Row-Level Security (RLS): every database table enforces workspace isolation at the database layer — not just in app code.
  • Role-based access: Owner, Admin, Editor, and Member roles with least-privilege defaults.
  • Authentication: email + password with strong password requirements, plus Google sign-in. Sessions use secure short-lived tokens with refresh rotation.
  • Server-side authorization: plan and role checks re-validated on every server request — never trusted from the client.

Payments (PCI scope)

All card data is handled by Stripe (PCI DSS Level 1). 4granted never sees or stores card numbers, CVCs, or full bank details. We only store a Stripe customer identifier and a tokenized payment method reference.

Infrastructure

  • Application hosted on Cloudflare's global edge network with built-in DDoS protection.
  • Database and file storage on Supabase (AWS, US region).
  • Automated daily database backups with point-in-time recovery.
  • All admin access to production requires SSO + multi-factor authentication.

Data handling

  • Customer data is logically segregated per workspace and never shared between organizations.
  • Uploaded documents are stored in access-controlled buckets readable only by workspace members with permission.
  • AI prompts and document excerpts sent to model providers are not used to train their models — see our AI Disclosure.

Vulnerability management

  • Continuous dependency scanning and automated patching for known CVEs.
  • Automated security scans on every deploy covering RLS coverage, exposed endpoints, and policy correctness.
  • Responsible disclosure program — report issues to security@4granted.app.

Incident response

We maintain a documented incident response process. In the event of a confirmed breach affecting customer data, we will notify affected workspace owners within 72 hours with the scope, impact, and remediation steps taken.

Subprocessors & DPA

See our Subprocessors list. A Data Processing Agreement (DPA) is available on request — email team@4granted.app.

Contact

Security questions, vendor reviews, or disclosure reports: security@4granted.app.