Security & Trust

Security is foundational to
everything we build.

We take the security of your data and our infrastructure seriously. Security is built into every layer of the Grantiva platform -- from encryption and access controls to incident response. Here's how we keep the platform safe.

Encryption

Data protection at every layer

AES-256

Data at Rest

All stored data is encrypted with AES-256. Database volumes, backups, and cached data are encrypted at the storage layer.

TLS 1.3

Data in Transit

All traffic between clients and Grantiva servers uses TLS 1.3. SDK communications, API calls, and dashboard sessions are all encrypted in transit.

Per-Tenant Keys

Key Management

Each tenant has isolated encryption keys for JWT signing. Keys are rotated regularly and never exposed in API responses or logs.

Infrastructure

Isolated, monitored, and resilient

Grantiva runs on Railway with isolated containers, encrypted database connections, and continuous monitoring. Our infrastructure is designed for reliability and security from the ground up.

Isolated containers

Each service runs in its own container with no shared resources between tenants at the infrastructure level.

PostgreSQL with encrypted connections

Database connections use TLS encryption. Data is encrypted at rest on the storage volume.

Redis with TLS

In-memory cache and session storage use encrypted connections. Session data is scoped per tenant.

Automated backups

Regular database backups with point-in-time recovery. Backups are encrypted and stored separately.

Infrastructure StackOperational
Application ServerSwift + Vapor
healthy
DatabasePostgreSQL 16
healthy
CacheRedis 7
healthy
HostingRailway
healthy
PaymentsStripe
healthy

Authentication & Access

Multiple layers of verification

Apple App Attest

Hardware-backed device verification using Apple's secure enclave. Cryptographic proof that attestation requests come from genuine devices running your unmodified app.

Bcrypt Password Hashing

Dashboard account passwords are hashed using bcrypt with appropriate cost factors. Plaintext passwords are never stored or logged.

Session-Based Auth

Dashboard sessions use secure, httpOnly cookies with CSRF protection. Sessions are server-side and scoped to the authenticated tenant.

Role-Based Access Control

Organization members have assigned roles that control access to features, settings, and data within the dashboard.

Incident Response

Prepared for when things go wrong

We maintain a structured incident response process with clear severity levels and response commitments.

Critical1 hour response

Complete service outage, data breach, or security vulnerability actively being exploited.

High4 hours response

Significant degradation affecting multiple tenants, potential data exposure, or partial service failure.

Medium24 hours response

Non-critical functionality impaired, performance degradation, or isolated tenant impact.

Low72 hours response

Minor issues, cosmetic defects, or informational security findings with no immediate risk.

Every incident is followed by a post-incident review with root cause analysis (RCA). Findings are documented and used to improve our systems and processes.

Compliance

Compliance roadmap

We are building toward industry certifications while maintaining compliance with current privacy regulations.

GDPR

Compliant

Data minimization, right to erasure, data portability, and lawful basis for processing. EU data subjects can exercise all rights.

CCPA

Compliant

Right to know, delete, and opt-out for California residents. We do not sell personal information.

SOC 2 Type II

Planned

Trust service criteria for security, availability, and confidentiality. Audit engagement planned.

ISO 27001

Planned

Information security management system certification. ISMS framework development in progress.

Responsible Disclosure

Found a vulnerability?

We take security reports seriously. If you've discovered a vulnerability in Grantiva, please report it responsibly and we'll work with you to resolve it.

Report a vulnerability

security@grantiva.io

What to include

A clear description of the vulnerability, steps to reproduce, potential impact, and any suggested fixes. We will acknowledge receipt within 24 hours.

Bug bounty

A formal bug bounty program is planned. In the meantime, we appreciate and acknowledge all valid security reports.

For details on what data we collect and how we handle it:

View Privacy Policy