Security Policy

Our Commitment to Security

Security is fundamental to everything we do at SafeGuardGRC. This page outlines our security practices and how to responsibly disclose vulnerabilities.

Infrastructure Security

SafeGuardGRC is built on modern, security-first infrastructure. Our application is hosted on Vercel with automatic HTTPS, DDoS protection, and edge network distribution. Our database is managed by Supabase with encrypted connections, row-level security policies, and automatic backups.

All data is encrypted in transit (TLS 1.2+) and at rest. We enforce strict Content Security Policies, HTTP Strict Transport Security (HSTS), and other security headers that are verified by automated scans published on our Security & Trust page.

Application Security

We employ multiple layers of application security including role-based access control (RBAC), row-level security at the database layer, input validation, parameterized queries, and CSRF protection. Authentication is managed through Supabase Auth with support for multi-factor authentication (MFA).

Our CI/CD pipeline includes automated Static Application Security Testing (SAST), dependency vulnerability scanning, and secret detection on every code change. Additionally, nightly scans run OWASP ZAP baseline tests and third-party security audits against our production environment.

Automated Security Scanning

We run automated security scans on a nightly basis using industry-standard tools. Summary results are published transparently on our Security & Trust page. These include:

  • SSL/TLS Analysis via Qualys SSL Labs
  • Security Header Audit via Mozilla Observatory
  • Dependency Vulnerability Scanning via Trivy
  • OWASP Baseline Scan via OWASP ZAP (passive, non-destructive)

Only summary-level data (grades and pass/fail status) is published publicly. Full reports, CVE identifiers, and package details are never exposed on the public page.

Data Protection

Client data is isolated at the database level using row-level security policies. Each firm's data is accessible only to authorized members of that firm. We do not share, sell, or provide access to client data to third parties.

For more information about how we handle personal data, please review our Privacy Policy.

Responsible Disclosure

We value the work of security researchers and welcome responsible disclosure of vulnerabilities. If you believe you have found a security issue in our application, please report it to us privately.

How to Report

security@safeguardgrc.com

Please include the following in your report:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any supporting evidence (screenshots, logs)

We ask that you:

  • Give us reasonable time to investigate and address the issue before any public disclosure
  • Make a good faith effort to avoid privacy violations, data destruction, and interruption of service
  • Do not access or modify data belonging to other users

Security Contact

For any security-related questions or concerns, please contact us at security@safeguardgrc.com. For general inquiries, visit our Contact page.

We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy