GrabDocs Security Overview

Infrastructure Security

GrabDocs is built on a modern, secure cloud stack:

Cloudflare

• Cloudflare R2 stores documents using AES-256 encryption at rest.
• Cloudflare automatically enforces TLS 1.2/1.3 encryption for all traffic.
• Global CDN and DDoS protection helps ensure service reliability and security.
• Zero-Trust tools help enforce secure access to internal services.

Supabase

• Supabase provides our managed PostgreSQL database.
• Data is encrypted at rest using the underlying infrastructure's encryption (AES-256).
• Supabase uses secure, encrypted connections (TLS) for all in-transit database communication.
• Row-level security (RLS) ensures strict data isolation between users and companies.

Render

• Render hosts our application services in secure, containerized environments.
• Secrets are stored using Render's encrypted secret management system.
• Automatic HTTPS is enforced (TLS 1.2/1.3).
• Render relies on cloud-provider–level encryption for storage volumes and backups.

Encryption

Data in Transit

All communication between browsers, our API, and third-party services is encrypted via TLS 1.2/1.3.

Data at Rest

All stored data — documents, metadata, logs — is encrypted at rest using:

• AES-256 (Cloudflare R2)
• AES-256 (Supabase Postgres)
• Provider-level encryption (Render disks)

Application-Level Encryption (Optional Feature)

For sensitive document storage, GrabDocs uses optional application-layer encryption:

• Files are encrypted using AES-256-GCM before they are uploaded.
• Only the GrabDocs backend can decrypt files.
• Cloudflare and Supabase only store encrypted blobs, not readable files.
• This prevents anyone, including platform staff, from reading customer documents.

Access Control & Privacy

Role-Based Access Control (RBAC)

Granular permissions control:

• who can upload documents
• who can view, edit, or delete
• who can manage billing
• who can create workspaces
• who can manage team members

Workspace & Company Isolation

Each organization, workspace, and individual user is completely isolated:

• No cross-tenant data access
• Strict database-level RLS enforcement
• Isolated encryption keys where applicable

2-Factor Authentication (2FA)

Users can enable 2FA to secure account access.

No-Engineer-Access Policy

GrabDocs implements a strict No-Engineer-Access model:

• Engineers do not have access to customer documents or database contents.
• Application-layer encryption ensures that even administrators cannot view document contents, because only encrypted blobs are stored.
• When support is required, engineers may only view:
  • metadata
  • system logs
  • error traces
• Never document content.
• All access is logged and monitored.

Audit Logs & Versioning

GrabDocs supports detailed logging of:

• document uploads
• document views
• permission changes
• user login events
• admin actions

Document versioning allows customers to track every change.

Backups & Reliability

• Supabase provides automated, encrypted database backups.
• Cloudflare R2 provides durable object storage with multiple-region redundancy.
• Render supports service redundancy and automatic restarts.
• GrabDocs performs daily internal backups of critical metadata.
• Backups are encrypted at rest.

AI Safety & Privacy

GrabDocs uses AI to help users search and understand their documents, with strict boundaries:

• Documents are processed transiently — the LLM does not store or train on your data.
• Only the minimal required content is sent to the AI model.
• AI providers cannot keep, reuse, or train on your documents.

Privacy Policy & Terms

GrabDocs publishes a clear Privacy Policy and Terms of Service outlining:

• What data we collect
• How we use your data
• Security commitments
• Customer rights

View our Privacy Policy | View our Terms of Service

Summary

GrabDocs uses industry-standard security practices including:

Security is not a feature — it's the foundation of our product.