Security

Last updated: May 24, 2026

AutoGrant handles sensitive information about your organization, your funders, and your strategy. We take that seriously, and we'd rather tell you exactly what we do today than make claims we can't back up.

Where we are today

Transport encryption. All traffic to and from the product runs over TLS 1.2+.
At-rest encryption. Database and file storage are encrypted at rest using our cloud provider's managed keys.
US data residency. All infrastructure runs in the United States by default.
No training on your data. Your organization's data, documents, and strategy are never used to train AI models—ours or third parties'. We use commercial AI providers under agreements that prohibit training on customer content, and we don't sell or share what you put into AutoGrant.
Least-privilege access. Production access is restricted to a small number of operators, scoped per task, and logged.
Human-in-the-loop. AutoGrant never submits a proposal without your explicit sign-off, on any autonomy setting. The pre-submission checkpoint (HC3) is permanent and not configurable. See the diagram below.

How HC3 stays enforced

Every proposal moves from draft to portal through five separate checks. HC3, the pre-submission gate, is enforced in five places in the codebase. No autonomy setting can disable it.

HC3, the trust boundary

AutoGrant never submits a proposal without your explicit sign-off, on any autonomy setting.

Five independent checks. One bypass still leaves four.

What we don't claim

We're an early-stage company. We are not currently SOC 2, HIPAA, FedRAMP, or PCI certified. We don't claim compliance we haven't earned. If your organization needs a specific certification before working with us, raise it on the first call. We'll tell you honestly where we stand and what the path looks like.

Reporting a vulnerability

If you believe you've found a security issue, please email chris@centerednetworks.com with a description and steps to reproduce. We'll acknowledge within two business days and keep you in the loop on the fix.

Please give us a reasonable window to investigate and patch before public disclosure. We won't pursue good-faith researchers who follow responsible disclosure.

Subprocessors

AutoGrant runs on commercial cloud infrastructure and uses a small number of vendors for things like email delivery and analytics. A current list is available on request from chris@centerednetworks.com.

Questions

Security questions from prospective design partners are welcome and encouraged. Email chris@centerednetworks.com and we'll get on a call.