Security & trust

Your funding data, in safe hands.

Built for an AI-native platform. From responsible-AI controls to encryption, EU data residency, and rigorous access management, Grants8 keeps your proposals, company know-how, and project details secure, private, and compliant.

Visit Trust Center Or talk to security

Certifications & compliance

The standards we maintain today and the ones we're actively pursuing.

GDPR compliance logo

GDPR

Compliant
ISO/IEC 27001 logo

ISO 27001

In Progress
ISO/IEC 42001 logo

ISO 42001

In Progress
AICPA SOC logo

SOC 2 Type II

In Progress

Hosted in the EU on Google Cloud Platform.

Your data lives in europe-west1 (Belgium). Our infrastructure inherits Google Cloud's enterprise certifications: ISO 27001 · SOC 2 · SOC 3 · PCI DSS · GDPR.

AI & intellectual-property protection

The hardest question for any AI-native platform: where does your IP go? Here's our answer.

Your data never trains AI models.

Proposals, project details, and company know-how submitted to Grants8 are processed through Google Vertex AI (Gemini 2.5 Flash/Pro). Per Vertex AI's data governance policy, your data is not used to train or improve Google's models — and we never use it to train any model ourselves either.

Hermetic environment

Your data stays in a private VPC (grants8-vpc-connector) with all-traffic egress routing, deployed in europe-west1 (Belgium). No public exposure of internal services.

Ownership-based isolation

Multi-layer ownership validation at the application, database, and service layers. Only the authenticated owner can read or write their own data.

No selling, no sharing

Your data is never sold, rented, or shared. The only sub-processor that ever sees content for analysis is Google Vertex AI — and only on your behalf, never for training.

How we protect your data

Grants8 follows Zero Trust principles — no user or system is inherently trusted; every access is authenticated, scoped to the minimum necessary, and logged.

Data

  • AES-256 encryption at rest with Google-managed keys (Cloud SQL, Cloud Storage, Secret Manager).
  • TLS 1.2+ encryption in transit; HTTPS enforced via SECURE_SSL_REDIRECT and Cloud Run HTTPS-only.
  • Google-managed SSL/TLS certificates with automatic renewal.

Network

  • Private VPC via grants8-vpc-connector with all-traffic egress routing.
  • All Cloud Run services and jobs communicate over the internal VPC network.
  • Managed Cloud Run platform with automatic security patching.

Access

  • Least-privilege IAM with per-service accounts and minimal scopes.
  • Secrets stored exclusively in Google Secret Manager — none in source code.
  • Authentication events and access attempts logged via Google Cloud Logging for audit trails.

Transparency

Sub-processors

Grants8 uses a small set of well-known sub-processors: Google Cloud Platform (EU hosting), Google Vertex AI (AI analysis), Stripe (payments), and HubSpot (CRM). We notify customers before adding new sub-processors.

Security milestones

  • Letter of Assurance v1 published

    November 2025

  • ISO 42001 implementation kicked off

    In progress

  • ISO 27001 implementation kicked off

    In progress

  • Customer-authorised support access with audit logging

    In progress

See full sub-processor list, policies, and live milestones

Frequently asked questions

Common questions from procurement, security, and engineering reviewers.

How does Grants8 encrypt my data?
All customer data is encrypted at rest with AES-256 using Google-managed keys, across Cloud SQL (our PostgreSQL database), Cloud Storage (file uploads), and Secret Manager (sensitive configuration). Data in transit is encrypted with TLS 1.2 or higher. HTTPS is enforced platform-wide via Cloud Run HTTPS-only and our SECURE_SSL_REDIRECT setting.
Will my proposals or project data be used to train AI models?
No. Your data is processed through Google Vertex AI (Gemini 2.5 Flash/Pro). Per Vertex AI's data governance policy, data submitted via Vertex AI is not used to train or improve Google's models. We also do not use your data to train any model of our own.
Where is my data stored?
Your data is stored in Google Cloud Platform's europe-west1 region (Belgium) — a GDPR-compliant EU region. Cloud SQL, Cloud Storage, and Secret Manager all run in that region behind our private VPC.
Who inside Grants8 can access my data?
Customer data is isolated by our ownership-based access model — only the authenticated owner can access their own data. Internal access for support is restricted to documented support workflows. We are rolling out customer-authorised support access with full audit logging — see our security milestones above for current status.
What happens to my data if I stop using Grants8?
You can export your data at any time before closing your account. After account closure, your data is deleted from our active systems in accordance with our retention policy and any applicable legal requirements. Detailed retention and deletion procedures are available on our Trust Center.
What are my GDPR rights?
You have the right to access your personal information, request correction of inaccurate data, request deletion, request data portability, object to certain processing, and withdraw consent where processing is based on consent. Full detail is in our Privacy Policy.
When will Grants8 be ISO 27001 / ISO 42001 / SOC 2 certified?
Implementation is in progress across all three. ISO 42001 is a particular focus because we are an AI-native platform processing customer IP. See our Trust Center for current status.
What is ISO 42001 and why do you target it?
ISO 42001 is the international AI Management System standard, covering responsible AI development, data governance for AI, AI risk management, and transparency. As an AI-native platform processing your proposal IP through Vertex AI/Gemini, we believe this is the most relevant certification to demonstrate AI-specific safety controls — ahead of the EU AI Act becoming fully applicable.
Who are your sub-processors?
Grants8 uses a small set of well-known sub-processors: Google Cloud Platform (EU hosting), Google Vertex AI (AI analysis), Stripe (payments), and HubSpot (CRM). We notify customers before adding new sub-processors. The full list with hosting locations and DPAs lives on our Trust Center.
How do I report a security issue?
Email contact@grants8.com with a description of the issue. A dedicated security@ mailbox and responsible-disclosure policy are on our roadmap.

Need a tailored security review
or to sign an NDA?

Our team is happy to walk your security or procurement team through our controls in detail.

Talk to security