GrabDocs Security FAQ

1. How does GrabDocs secure my documents?

GrabDocs protects data at multiple layers using industry-standard encryption and modern cloud infrastructure.

Your documents are encrypted:

• In transit using TLS 1.2/1.3
• At rest using AES-256 encryption
• Optionally encrypted at the application layer (AES-256-GCM), meaning only encrypted blobs are stored in Cloudflare or Supabase.

No one at GrabDocs can view your documents outside the application.

2. Where is my data stored?

GrabDocs uses a modern and secure cloud stack:

• Cloudflare R2 for document storage
• Supabase (runs on AWS) for encrypted PostgreSQL database storage
• Render for hosting our backend services

All providers enforce encrypted storage and encrypted connections by default.

3. Who can access my documents?

Only users you grant access to can view or interact with your documents.

GrabDocs enforces:

• Workspace isolation
• Role-based access control (RBAC)
• Company-level isolation
• Database-level row security (RLS)

Even internal staff, including engineers, cannot view document contents.

4. What is GrabDocs' "No-Engineer-Access" policy?

This means:

• GrabDocs engineers do not have access to customer data or documents.
• Application-layer encryption ensures stored files are unreadable, even by administrators.
• Engineering access to databases, dashboards, and logs is restricted and monitored.
• Customer support can only view metadata—not document contents.

In short: No one at GrabDocs can open or read your documents.

5. Are documents stored permanently?

Documents remain in your workspace until you delete them.

Deleted documents are purged from active storage and removed from backup cycles according to our retention policies.

6. Does GrabDocs keep backups of my data?

Yes. GrabDocs uses:

• Supabase's encrypted database backups
• Cloudflare's durable object storage
• Internal daily metadata backups

All backups are encrypted.

7. What happens if a server fails?

GrabDocs services run on redundant cloud infrastructure.

• Cloudflare R2 maintains regional redundancy.
• Render automatically restarts failed services.
• Supabase maintains multiple data replicas and encrypted backups.

This provides strong resilience against hardware failures.

8. Does GrabDocs train AI models on my documents?

No.

Your documents are processed transiently by the AI models when you search or request analysis.

The models:

• Do not store your data
• Do not train on it
• Do not reuse it for other customers

This is a strict policy.

9. Can GrabDocs employees view my data?

No.

• Document contents are encrypted at the application layer (if enabled), and access to dashboards is restricted.
• Administrative access is logged and monitored.

10. How is account access protected?

GrabDocs offers:

• Strong passwords
• Optional 2-Factor Authentication (2FA)
• Login alerts
• Session management
• Automatic logout on suspicious activity

11. How does GrabDocs isolate data between companies?

We enforce:

• Workspace-level isolation
• Company-level isolation
• Database Row-Level Security (RLS)
• Scoped API permissions

This ensures no accidental or unauthorized cross-tenant access.

12. What encryption does GrabDocs use?

GrabDocs uses:

• AES-256 at rest (Cloudflare R2, Supabase)
• TLS 1.2/1.3 in transit
• AES-256-GCM for optional application-layer file encryption

Keys are stored in secure secret managers with restricted access.

13. Is it safe to disclose that GrabDocs uses Cloudflare, Supabase, and Render?

Yes.

• These are industry-standard platforms used by thousands of secure SaaS companies.
• It is normal and expected to share your infrastructure at a high level.
• You are not exposing sensitive details.

14. What happens if there is a security incident?

GrabDocs maintains a documented incident response process including:

• Monitoring
• Logging
• Containment
• Recovery
• Customer notification

Incidents are rare, but we prepare for them.