Security

Last updated 5 June 2026

Hosting & infrastructure

[Vercel; region — confirm]

Encryption in transit and at rest

[confirm specifics — do not claim standards Grace does not meet]

Access control & authentication

[confirm]

Audit trail

Grace's hash-chained audit trail on sensitive actions [real product feature per the PDD; confirm scope before claiming on the public site]. [Reviewed legal wording required.]

Payments security

Card data handled by PCI-DSS-compliant processors; Grace does not store card numbers [confirm wording against the actual payment rail].

Backups & resilience

[confirm]

Data protection by design

[Reviewed legal wording required.] See also the GDPR page.

Responsible disclosure

How to report a vulnerability: [security contact email]

Sub-processors

Link to the processor list on the Privacy Policy.