Security - GRANTED Security Practices & Data Protection

Last updated: January 15, 2025

1. Our Security Commitment

At GRANTED, we take the security of your data seriously. We are committed to implementing industry-standard security measures to protect your information, maintain the integrity of our platform, and ensure the confidentiality of your grant applications and sensitive data.

Our security practices are continuously reviewed and updated to address emerging threats and maintain compliance with applicable regulations, including GDPR, CCPA, and other data protection laws.

2. Data Protection & Encryption

We employ multiple layers of encryption to protect your data both in transit and at rest:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security) 1.2 or higher. This ensures that your information cannot be intercepted or read by unauthorized parties during transmission.
Encryption at Rest: Sensitive data stored in our databases is encrypted using industry-standard encryption algorithms. This protects your information even if our storage systems are compromised.
Password Security: All passwords are hashed using bcrypt with a salt factor of 10. Passwords are never stored in plain text, and we cannot retrieve your original password.
Secure Storage: We use secure, encrypted storage systems with regular backups to ensure data availability and integrity.

3. Authentication & Access Control

We provide multiple secure authentication methods to protect your account:

Email/Password Authentication: Secure password-based login with strong password requirements (minimum 8 characters, including uppercase, lowercase, numbers, and special characters).
Magic Links: Passwordless authentication via secure, time-limited email links that expire after 15 minutes.
OAuth Providers: Sign in securely using Google or GitHub accounts, leveraging their robust authentication systems.
Two-Factor Authentication (2FA): Add an extra layer of security to your account using authenticator apps (TOTP) or email-based one-time passwords. We strongly recommend enabling 2FA for enhanced account protection.
Session Management: All sessions are securely managed with automatic expiration and can be revoked at any time. Sessions are invalidated when you change your password or enable 2FA.

We implement role-based access control (RBAC) to ensure that users only have access to the data and features appropriate for their role and permissions.

4. Data Privacy & Compliance

We are committed to protecting your privacy and complying with applicable data protection regulations:

GDPR Compliance: We comply with the General Data Protection Regulation (GDPR) and respect your rights regarding your personal data, including the right to access, rectify, erase, and port your data.
Data Minimization: We only collect and process the data necessary to provide our services and improve your experience.
Data Retention: We retain your data only as long as necessary for the purposes stated in our Privacy Policy. Inactive accounts may be deleted after 2 years of inactivity.
User Rights: You have the right to access, export, correct, or delete your personal data at any time through your account settings or by contacting us directly.
Data Processing Transparency: We clearly communicate what data we collect, how we use it, and who we share it with in our Privacy Policy.

5. Security Measures & Monitoring

We implement comprehensive security measures to protect our platform and your data:

Rate Limiting: We implement rate limiting on all API endpoints and authentication attempts to prevent abuse and protect against brute-force attacks.
API Security: External API access requires secure API keys with scoped permissions. API keys are hashed and stored securely, and can be revoked at any time.
Audit Logging: We maintain comprehensive audit logs of all security-relevant activities, including login attempts, permission changes, and administrative actions. These logs help us detect and respond to security incidents.
Regular Security Audits: We conduct regular security reviews and audits of our systems, code, and infrastructure to identify and address potential vulnerabilities.
Security Monitoring: We continuously monitor our systems for suspicious activity, unauthorized access attempts, and potential security threats.
Dependency Management: We regularly update our dependencies and apply security patches promptly to address known vulnerabilities.

6. Incident Response

In the event of a security incident, we have established procedures to respond quickly and effectively:

Detection & Assessment: We continuously monitor for security incidents and assess their scope and severity immediately upon detection.
Containment: We take immediate steps to contain any security incident, including isolating affected systems and revoking compromised credentials.
Investigation: We thoroughly investigate all security incidents to understand the cause and impact.
Remediation: We take appropriate steps to eliminate threats and patch vulnerabilities.
Notification: If a security incident affects your data, we will notify affected users and relevant authorities as required by law.
Continuous Improvement: We learn from each incident and update our security measures accordingly.

7. Reporting Security Vulnerabilities

We take security vulnerabilities seriously and appreciate the security research community's efforts to help keep our platform secure. If you discover a security vulnerability, please report it to us responsibly:

Email us at security@grantedtech.ca with details about the vulnerability
Please provide a clear description of the vulnerability and steps to reproduce it
Allow us reasonable time to address the vulnerability before disclosing it publicly
Do not access or modify data that does not belong to you, and do not perform any actions that could harm our users or services

We will acknowledge receipt of your report within 48 hours and work with you to understand and resolve the issue. We appreciate your responsible disclosure and may recognize security researchers who help improve our security.

8. Best Practices for Users

While we implement robust security measures, you also play an important role in keeping your account secure:

Use Strong Passwords: Create a unique, strong password for your GRANTED account. Use a combination of uppercase and lowercase letters, numbers, and special characters.
Enable Two-Factor Authentication: Add an extra layer of security by enabling 2FA on your account. This significantly reduces the risk of unauthorized access.
Keep Your Credentials Secure: Never share your password or authentication codes with anyone. GRANTED staff will never ask for your password.
Be Cautious of Phishing: Be wary of emails or messages claiming to be from GRANTED that ask for your credentials or personal information. Always verify the sender and check the URL before entering your credentials.
Review Account Activity: Regularly review your account activity and session history. If you notice any suspicious activity, change your password immediately and contact us.
Keep Software Updated: Keep your browser and operating system updated with the latest security patches.
Log Out When Finished: Always log out of your account when using shared or public computers.

9. Contact Us

If you have any questions, concerns, or need to report a security issue, please contact us:

Security Issues: security@grantedtech.ca
General Privacy Concerns: justina@grantedtech.ca

We are committed to maintaining the highest standards of security and will respond to your inquiries promptly.