How we protect your data

A truthful overview of the security posture built into GRC Oversight today. We describe only what the product actually does — no certifications or compliance attestations we don't hold.

Visit the Trust Center Scanner Policy

Our posture

Security built into the platform

Tenant isolation

Every authenticated query is scoped to your organization at the application layer — the primary guarantee. We are rolling out Postgres row-level security as a database-enforced second layer so that, even if an app-side filter were missing, data cannot leak across tenants.

Encryption of credentials at rest

Integration credentials are encrypted with AES-256-GCM at the application layer before they are stored. Plaintext secrets are never written to the database.

Append-only audit logging

Sensitive actions are recorded in a per-organization, hash-chained audit log. Each entry hashes the previous one, so any tampering with history is detectable.

Hashed authentication

Account passwords are stored as hashes, never in plaintext. Sessions carry your organization and role for access control.

Passive public scanner

Our free scanner performs only passive, browser-equivalent checks and refuses internal/private targets (SSRF guard). See the Scanner Policy for details.

Least-privilege data access

Access is governed by role (admin, member, auditor), and org-scoped storage keys keep evidence and files separated per tenant.

Honesty note

What we don't claim

We do not currently hold any third-party security certification (e.g. SOC 2, ISO 27001) and we do not claim one. As compliance milestones are reached, we will document them in the Trust Center with evidence — never before.

Disclosure

Reporting a vulnerability

If you believe you've found a security issue, we want to hear from you. Please report it responsibly and give us reasonable time to remediate before public disclosure.

Email: security@grcoversight.com
Machine-readable policy: /.well-known/security.txt (RFC 9116)
Trust details and posture: Trust Center

See how we operationalize trust

Get a guided demo, or start by scanning any domain for free.

Get a demo Visit the Trust Center