Security
Client data and engagement confidentiality are foundational — not an afterthought. Here is how we protect your information at every layer.
Six areas where we apply consistent, documented controls.
Encryption at rest & in transit
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Database credentials and secrets are never stored in source code.
Authentication & MFA
All portal and admin access is protected by Supabase Auth with TOTP multi-factor authentication. Sessions expire on inactivity and cannot be extended client-side.
Infrastructure security
Applications are deployed on Vercel's edge network with automatic DDoS mitigation, WAF rules, and isolated compute. Database is hosted on Supabase with row-level security enforced at the database layer.
Access control
Role-based access control (RBAC) is enforced at every API endpoint and database query. Principle of least privilege is applied across all services — no shared service accounts.
NDA & data handling
All client engagements begin with a mutual NDA. Client data is never used to train models or shared across engagements. Data is retained only for the period required to fulfil the engagement.
SOC 2 alignment
Our security controls are designed to meet SOC 2 Type II criteria across security, availability, and confidentiality. Formal certification is in progress.
GradeCircle processes client data solely for the purpose of delivering the agreed engagement. We operate under a mutual NDA that is signed before any discovery work begins. Client data is:
We use the following sub-processors to deliver the platform. Each operates under their own enterprise security programmes and compliance certifications.
| Provider | Purpose | Certifications |
|---|---|---|
| Vercel | Hosting & edge delivery | SOC 2 Type II |
| Supabase | Database & authentication | SOC 2 Type II, GDPR |
| Stripe | Payment processing | PCI DSS Level 1 |
| Resend | Transactional email | SOC 2 Type II |
| Upstash | Rate limiting & caching | SOC 2 Type II |
| OpenAI | AI inference (non-client data only) | SOC 2 Type II |
We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please contact us before publishing publicly. We commit to:
Submit a vulnerability report through our secure inquiry form — all reports are reviewed by our security team.
Report vulnerabilityOur security team reviews all inquiries and responds within one business day. Use our form to report vulnerabilities, ask compliance questions, or discuss data handling.
Last reviewed: April 2026