Trust & Security
GrantFounders is built for organizations where funding operations are mission-critical. This page describes our security posture honestly and without inflation.
Last updated: March 19, 2026
GrantFounders is designed around organizational access boundaries, authenticated API access, and controlled proposal state. Our security model is built on the principle that funding-critical work requires predictable, auditable, and organizationally scoped access.
We do not claim certifications we have not completed. We describe our actual controls clearly so that your security and legal teams can make informed decisions about platform use.
Access to the GrantFounders platform is scoped at the organization level. Each organization account maintains its own workspace, project records, and proposal data. Users within an organization are granted access by an administrator, and access can be revoked at any time.
The platform supports role-based controls distinguishing administrative users from standard users within an organization. Data from one organization is not accessible to users of another organization. Logical data separation is enforced at the application layer.
Web access is authenticated via session-based login with signed, server-side session tokens. API access is authenticated via access keys, which are scoped to an organization and can be issued, rotated, and revoked through the account settings interface.
Access keys are hashed before storage. Full key values are shown only at the time of creation and are not recoverable after that point. If a key is lost or compromised, it must be revoked and a new key issued.
We recommend that organizations rotate access keys on a regular schedule and immediately upon suspected compromise. Keys should not be embedded in publicly accessible repositories or client-side code.
All data transmitted between clients and the GrantFounders platform is encrypted in transit using TLS. This applies to web interface traffic, API requests, and webhook communications.
Data at rest is encrypted by our infrastructure provider using industry-standard encryption. Database credentials, API keys for third-party services, and other sensitive configuration values are stored as environment-level secrets and are not hardcoded in application code.
GrantFounders maintains audit logs of significant account and workspace actions, including access key issuance and revocation, proposal state changes, user access changes, and billing events. These logs are associated with the acting user and timestamp.
API usage is logged at the request level, capturing endpoint, timestamp, response status, and access key identifier. Audit log access is available to organization administrators through the account interface. Logs are retained for a minimum of 90 days.
GrantFounders operates on cloud infrastructure maintained by established providers with their own security programs and certifications. Our infrastructure providers maintain controls including physical security, network segmentation, and availability guarantees.
AI processing for proposal generation is handled by third-party language model providers under confidentiality obligations. Proposal content submitted for generation is processed to produce outputs and is not used to train models for other customers. Payment processing is handled by Stripe, which maintains PCI DSS compliance.
All project records, proposal content, pipeline data, and organizational memory are scoped to a single organization and are not accessible across organization boundaries. This applies to both the web interface and the API.
Organization data is logically separated at the application layer using organization-scoped identifiers enforced on every query. There is no shared workspace or cross-organization data access by design.
In the event of a confirmed security incident affecting customer data, GrantFounders will notify affected customers in a timely manner consistent with applicable law and the nature of the incident. Notification will include a description of the incident, the data affected, and the steps taken to address it.
If you believe your account has been compromised or you have observed suspicious activity, contact us immediately at [email protected].
If you discover a potential security vulnerability in the GrantFounders platform, we ask that you report it to us privately before public disclosure. We are committed to investigating all reports promptly and to keeping reporters informed of our progress.
To report a vulnerability, contact: [email protected]. Please include a description of the vulnerability, steps to reproduce it, and any relevant technical details. We will acknowledge receipt within 2 business days.
GrantFounders does not currently hold SOC 2, ISO 27001, FedRAMP, HIPAA, or ITAR certifications. Organizations with formal compliance requirements should evaluate this posture against their specific obligations before deploying the platform in regulated contexts. For enterprise security review requests, contact [email protected].
GrantFounders provides the security and governance controls your organization needs for mission-critical funding work.