Security

AutoGrant handles sensitive information about your organization, your funders, and your strategy. We take that seriously, and we'd rather tell you exactly what we do today than make claims we can't back up.

Where we are today

• Transport encryption. All traffic to and from the product runs over TLS 1.2+.
• At-rest encryption. Database and file storage are encrypted at rest using our cloud provider's managed keys.
• US data residency. All infrastructure runs in the United States by default.
• Least-privilege access. Production access is restricted to a small number of operators, scoped per task, and logged.
• Human-in-the-loop. AutoGrant never submits a proposal without your explicit sign-off, on any autonomy setting. The pre-submission checkpoint is enforced in five separate places in the system and is not configurable.

What we don't claim

We're an early-stage company. We are not currently SOC 2, HIPAA, FedRAMP, or PCI certified. We don't claim compliance we haven't earned. If your organization needs a specific certification before working with us, raise it on the first call. We'll tell you honestly where we stand and what the path looks like.

Reporting a vulnerability

If you believe you've found a security issue, please email chris@centerednetworks.com with a description and steps to reproduce. We'll acknowledge within two business days and keep you in the loop on the fix.

Please give us a reasonable window to investigate and patch before public disclosure. We won't pursue good-faith researchers who follow responsible disclosure.

Subprocessors

AutoGrant runs on commercial cloud infrastructure and uses a small number of vendors for things like email delivery and analytics. A current list is available on request from chris@centerednetworks.com.

Questions

Security questions from prospective design partners are welcome and encouraged. Email chris@centerednetworks.com and we'll get on a call.