Skip to main content

Trust & security

Your data, protected

We handle sensitive financial data for startups and investors. Security is not a feature. It is the foundation.

Data Encryption

Your data is encrypted at every stage. At rest, we rely on AES-256 encryption provided by our infrastructure providers. In transit, all connections are secured with TLS 1.3, ensuring that data moving between your browser and our servers cannot be intercepted or tampered with.

Application Security

Every response includes strict Content Security Policy headers to prevent cross-site scripting and injection attacks. Arcjet Web Application Firewall provides real-time bot detection and threat mitigation. Every API endpoint enforces per-route rate limiting to prevent abuse, and all incoming data is validated against Zod schemas before processing.

Authentication

Authentication is handled by NextAuth.js with secure, HTTP-only cookies and server-side session management. Passwords are hashed with bcrypt before storage. We support OAuth 2.0 sign-in via Google, so you can use your existing identity provider without creating another password.

Infrastructure

Grantverse runs on Vercel's edge network with a global CDN for low-latency delivery worldwide. Our PostgreSQL database is hosted on Railway with SSL-encrypted connections and automated daily backups. All secrets and environment variables are managed through secure vaults. No credentials are stored in source code.

Monitoring

Sentry provides real-time error tracking and performance monitoring across every API route and page load. PostHog gives us product analytics to understand usage patterns without compromising privacy. A dedicated system health dashboard monitors database connections, CRON job status, and API response times around the clock.

Access Control

The platform enforces role-based access control across three roles: Startup, Investor, and Admin. Feature-level gating ensures each subscription tier can only access what it has paid for. The Capital Room is protected by NDA agreements, with document access logging that tracks every view and download.

Data Handling

We support GDPR-compliant data export and deletion on request. Sensitive credentials are never stored in plain text. User data is isolated per account. Startups cannot see other startups' data, and investors only see profiles that have been matched or explicitly shared.

Report a Concern

Found a vulnerability or have a security concern? Email support@grantverse.io with the subject “Security report” and we will respond promptly. Please include steps to reproduce; we appreciate responsible disclosure.

Have a security question?

If you have questions about our security practices or how we handle your data, reach out any time.

Contact Us