Grant Officer AI
Security

Your data, protected like it’s our own

You trust us with sensitive documents — tax returns, IDs, financials, and business records. Here’s exactly how we keep them safe, in plain language.

Encrypted everywhere

Everything is protected by TLS in transit and encrypted at rest. On top of that, your most sensitive identifiers — like EIN, tax, and bank numbers — get an extra layer of AES-256-GCM field-level encryption with a key kept separate from the database. A database leak alone can't expose them.

Your private vault

Documents live in a private, per-account vault that is never public. Files are namespaced to your account and can only be opened through short-lived, signed links generated after we confirm the file is yours. Your driver's license, tax returns, and bank statements aren't sitting on a public URL.

Strict access controls

Row-level security is enforced on every table, so your records are technically walled off from every other account — not just hidden in the UI. Our team works under least-privilege access with multi-factor authentication, and no one casually browses your files.

You're in control

Your data is used only to serve your account — we never sell it. You can export a copy or permanently delete your account and documents at any time from Settings, and we honor retention limits and deletion requests.

Hardened & monitored

The app ships with a strict Content-Security-Policy, clickjacking and HSTS protections, rate limiting on sensitive endpoints, upload size and type checks, and audit logging of approvals and account actions. We also run a responsible-disclosure program for security researchers.

What we never do

We never sell or rent your personal information. We never take custody of your grant funds. We never submit an application or share your information without your explicit approval. You stay the applicant of record, always.

Security at a glance

Found a security issue?

We welcome reports from security researchers. Email security@grantofficerai.com — please don’t test against other people’s data. See our security.txt.

No system is perfectly secure, and we don’t claim to be. We combine strong technical controls with clear operating practices and continuously improve them.