GradeCircle
GradeCircle
ConsultingPricing
Free Diagnostic
GradeCircle
GradeCircle

Strategic intelligence and venture development.

Solutions

  • Applications
  • Strategic Services
  • Consulting
  • Pricing
  • Portfolio
  • Investors

Applications

  • Healthcare Solutions
  • Legal Services Platform
  • Financial Applications
  • Government Solutions
  • Tech Solutions
  • View All Applications →

Company

  • About
  • Blog
  • Changelog
  • Industries
  • Careers
  • Contact

Legal & Resources

  • The App
  • FAQ
  • Help & Support
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Security

© 2026 GradeCircle. All rights reserved.

🔒 256-bit TLS·SOC 2 Aligned·NDA Protected

Security

Security at GradeCircle

Client data and engagement confidentiality are foundational — not an afterthought. Here is how we protect your information at every layer.

TLS 1.2+AES-256MFA EnforcedSOC 2 AlignedNDA Protected

Security pillars

Six areas where we apply consistent, documented controls.

Encryption at rest & in transit

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Database credentials and secrets are never stored in source code.

Authentication & MFA

All portal and admin access is protected by Supabase Auth with TOTP multi-factor authentication. Sessions expire on inactivity and cannot be extended client-side.

Infrastructure security

Applications are deployed on Vercel's edge network with automatic DDoS mitigation, WAF rules, and isolated compute. Database is hosted on Supabase with row-level security enforced at the database layer.

Access control

Role-based access control (RBAC) is enforced at every API endpoint and database query. Principle of least privilege is applied across all services — no shared service accounts.

NDA & data handling

All client engagements begin with a mutual NDA. Client data is never used to train models or shared across engagements. Data is retained only for the period required to fulfil the engagement.

SOC 2 alignment

Our security controls are designed to meet SOC 2 Type II criteria across security, availability, and confidentiality. Formal certification is in progress.

Engineering security practices

  • Secrets managed via environment variables — never committed to version control
  • Dependency vulnerability scanning on every pull request
  • HTTP security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Rate limiting on all public API endpoints (Upstash Redis)
  • Sanitised error responses — no stack traces or internal paths in production
  • Audit logging for all admin actions and authentication events
  • Automated database backups with point-in-time recovery
  • Third-party integrations use scoped API keys with minimal permissions

Client data handling

GradeCircle processes client data solely for the purpose of delivering the agreed engagement. We operate under a mutual NDA that is signed before any discovery work begins. Client data is:

  • Never used to train AI models or shared across client accounts
  • Stored in isolated, encrypted database schemas with row-level security
  • Accessible only to the named engagement team — not the broader GradeCircle team
  • Deleted or returned at the conclusion of the engagement on request
  • Processed in accordance with applicable data protection regulations

Sub-processors & third-party services

We use the following sub-processors to deliver the platform. Each operates under their own enterprise security programmes and compliance certifications.

ProviderPurposeCertifications
VercelHosting & edge deliverySOC 2 Type II
SupabaseDatabase & authenticationSOC 2 Type II, GDPR
StripePayment processingPCI DSS Level 1
ResendTransactional emailSOC 2 Type II
UpstashRate limiting & cachingSOC 2 Type II
OpenAIAI inference (non-client data only)SOC 2 Type II

Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please contact us before publishing publicly. We commit to:

  • Acknowledging your report within 2 business days
  • Providing a timeline for investigation and remediation
  • Notifying you when the issue has been resolved
  • Crediting researchers who disclose responsibly (if desired)

Submit a vulnerability report through our secure inquiry form — all reports are reviewed by our security team.

Report vulnerability

Have a security question?

Our security team reviews all inquiries and responds within one business day. Use our form to report vulnerabilities, ask compliance questions, or discuss data handling.

Submit a security inquiryGeneral contact

Last reviewed: April 2026