Security

Security at GradeCircle

Client data and engagement confidentiality are foundational — not an afterthought. Here is how we protect your information at every layer.

TLS 1.2+AES-256MFA EnforcedSOC 2 AlignedNDA Protected

Security pillars

Six areas where we apply consistent, documented controls.

Encryption at rest & in transit

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Database credentials and secrets are never stored in source code.

Authentication & MFA

All portal and admin access is protected by Supabase Auth with TOTP multi-factor authentication. Sessions expire on inactivity and cannot be extended client-side.

Infrastructure security

Applications are deployed on Vercel's edge network with automatic DDoS mitigation, WAF rules, and isolated compute. Database is hosted on Supabase with row-level security enforced at the database layer.

Access control

Role-based access control (RBAC) is enforced at every API endpoint and database query. Principle of least privilege is applied across all services — no shared service accounts.

NDA & data handling

All client engagements begin with a mutual NDA. Client data is never used to train models or shared across engagements. Data is retained only for the period required to fulfil the engagement.

SOC 2 alignment

Our security controls are designed to meet SOC 2 Type II criteria across security, availability, and confidentiality. Formal certification is in progress.

Engineering security practices

Secrets managed via environment variables — never committed to version control
Dependency vulnerability scanning on every pull request
HTTP security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Rate limiting on all public API endpoints (Upstash Redis)
Sanitised error responses — no stack traces or internal paths in production
Audit logging for all admin actions and authentication events
Automated database backups with point-in-time recovery
Third-party integrations use scoped API keys with minimal permissions

Client data handling

GradeCircle processes client data solely for the purpose of delivering the agreed engagement. We operate under a mutual NDA that is signed before any discovery work begins. Client data is:

Never used to train AI models or shared across client accounts
Stored in isolated, encrypted database schemas with row-level security
Accessible only to the named engagement team — not the broader GradeCircle team
Deleted or returned at the conclusion of the engagement on request
Processed in accordance with GDPR and applicable data protection regulations

Sub-processors & third-party services

We use the following sub-processors to deliver the platform. Each operates under their own enterprise security programmes and compliance certifications.

Provider	Purpose	Certifications
Vercel	Hosting & edge delivery	SOC 2 Type II
Supabase	Database & authentication	SOC 2 Type II, GDPR
Stripe	Payment processing	PCI DSS Level 1
Resend	Transactional email	SOC 2 Type II
Upstash	Rate limiting & caching	SOC 2 Type II
OpenAI	AI inference (non-client data only)	SOC 2 Type II

Vulnerability disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please contact us before publishing publicly. We commit to:

Acknowledging your report within 2 business days
Providing a timeline for investigation and remediation
Notifying you when the issue has been resolved
Crediting researchers who disclose responsibly (if desired)

Submit a vulnerability report through our secure inquiry form — all reports are reviewed by our security team.

Have a security question?

Our security team reviews all inquiries and responds within one business day. Use our form to report vulnerabilities, ask compliance questions, or discuss data handling.

Last reviewed: April 2026