FastGRCSign in →

Security at FastGRC

As a GRC platform, we hold ourselves to the same standards we help our customers achieve. This page describes how we protect your data, maintain system integrity, and operate transparently.

1. Infrastructure & Encryption

FastGRC runs on managed Kubernetes clusters (AKS/EKS/GKE) in US-based data centers with network policies enforcing least-privilege pod-to-pod communication.

  • Encryption at rest — All data is encrypted with AES-256 via cloud-provider managed keys. Database storage, backups, and file uploads are all encrypted.
  • Encryption in transit — TLS 1.3 is enforced for all connections. HSTS headers prevent protocol downgrades.
  • Key management — Encryption keys are managed by cloud KMS. No plaintext secrets are stored in code or configuration files.
  • Network isolation — Application services communicate over private networks. Public endpoints are protected by WAF and rate limiting.

2. Data Isolation & Access Control

Every customer's data is logically isolated at the database level using PostgreSQL Row-Level Security (RLS) policies. No query can cross organization boundaries regardless of application-layer logic.

  • Row-Level Security — Every table enforces RLS policies scoped to the authenticated user's organization. This is enforced at the database engine level, not application code.
  • Role-based access — Four roles (Owner, Admin, Member, Auditor) with distinct permission sets. Auditors have read-only access by design.
  • Authentication — OAuth 2.0 via Supabase Auth with support for SSO (Google, Microsoft, SAML). MFA is supported through identity provider configurations.
  • Session management — JWT-based sessions with configurable expiry. Refresh tokens are rotated on each use.

3. Audit Trail & Data Integrity

Every data modification in FastGRC is recorded in an immutable audit log with cryptographic integrity guarantees.

  • Hash chain — Each audit log entry includes a SHA-512 hash of the previous entry, forming a tamper-evident chain. Any modification to historical entries is detectable.
  • What's logged — Actor identity, timestamp, action type, entity affected, before/after values, and IP address.
  • Retention — Audit logs are retained for the duration required by applicable compliance frameworks (minimum 1 year).
  • Export — Audit logs can be exported for external review by auditors.

4. AI & Data Privacy

FastGRC uses Claude by Anthropic as its AI copilot. We take specific measures to ensure your data is handled responsibly.

  • No model training — Your data is never used to train AI models. This is contractually guaranteed through our commercial agreement with Anthropic.
  • Real-time processing only — Prompts are sent to the AI API and responses are returned in real-time. We do not store prompt/response pairs beyond the active session.
  • Data Processing Agreement — We maintain a commercial DPA with Anthropic that covers data handling, processing, and deletion obligations.
  • Context boundaries — The AI copilot only receives data from the authenticated user's organization. Cross-tenant data leakage is impossible by design.

5. Integration Security

FastGRC connects to third-party tools (cloud providers, identity providers, SIEM, HR systems) with minimal permissions and strong credential protection.

  • Minimal permissions — All integrations request only the read permissions needed. Most integrations are strictly read-only.
  • Credential storage — API keys, tokens, and secrets are encrypted at rest using AES-256. They are never logged, displayed after entry, or included in exports.
  • Data collected — Integrations collect aggregate metadata (user counts, MFA percentages, alert summaries) — not raw records. Detailed data access documentation is available for each integration within the platform.
  • OAuth-first authentication — Where supported, integrations use OAuth 2.0 consent flows (e.g., "Connect with Google") so customers never need to create, download, or paste credentials. Fallback methods (API keys, service account keys) are available for advanced use cases.

6. Compliance

We are actively pursuing formal certifications and align our controls to industry-recognized frameworks.

  • SOC 2 Type II — In progress. Our platform implements controls aligned with the Trust Services Criteria (security, availability, confidentiality).
  • ISO 27001:2022 — Controls aligned with Annex A requirements. Formal certification planned.
  • NIST CSF — Our security program is structured around the NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover).
  • Data residency — Data is hosted in the United States. Standard Contractual Clauses (SCCs) are available for EU/UK data transfers upon request.

We believe in transparency about where we are in our compliance journey. If you need specific documentation or controls evidence, please reach out to our security team.

7. Incident Response

We maintain a documented incident response plan and practice it regularly.

  • Detection — Automated monitoring for anomalous access patterns, failed authentication attempts, and infrastructure alerts.
  • Response SLA — Critical security incidents are triaged within 1 hour and communicated to affected customers within 24 hours.
  • Post-incident review — All incidents result in a root cause analysis and remediation plan shared with affected parties.
  • Responsible disclosure — We welcome security researchers to report vulnerabilities. Please reach out to security@fastgrc.ai.

8. Data Retention & Deletion

  • Customer data is retained while the account is active.
  • Upon account closure, all data is permanently deleted within 90 days.
  • Audit logs are retained for the compliance-required period, then purged.
  • Backups are encrypted and automatically expire per the retention schedule.
  • Data deletion requests can be submitted to privacy@fastgrc.ai.

9. Questions & Contact

For security questionnaires, penetration test reports, SOC 2 readiness documentation, or any security-related inquiries: