Trust Center
How we run our own platform — in our own words, using our own product.
In our own words
This page is generated by the same Trust Center feature every GRC Oversight customer gets — we are simply our own first tenant.
What's true today: every authenticated database query is scoped to an organization at the application layer (src/lib/tenant.ts), integration credentials are encrypted with AES-256-GCM before they're written to the database (src/lib/crypt.ts, key held outside the database), sensitive actions are recorded in a per-organization, hash-chained append-only audit log, passwords are stored as bcrypt hashes (never plaintext), and file storage keys are namespaced per organization behind a swappable storage interface.
A Postgres row-level-security migration exists in the codebase as a second, database-enforced layer of tenant isolation, but per our own engineering docs it has not yet been validated against a live Postgres instance in production — so today the query-layer scoping above is the operative guarantee, not RLS.
Certifications in progress: none yet. We do not hold and do not claim SOC 2, ISO 27001, or any other third-party attestation. See how tenant isolation and encryption work today at /security and in our architecture docs.
How we monitor externally observable security posture: our own public scanner methodology page explains exactly what it checks and doesn't — see the link below, or run our own domain through it yourself at /scan.
Add GRC Oversight's Trust Center badge to your own site or README, linking back to this profile.
[](https://grcoversight.com/trust/grc-oversight)<a href="https://grcoversight.com/trust/grc-oversight"><img src="https://grcoversight.com/api/trust/badge/grc-oversight" alt="GRC Oversight: Trust Center" /></a>