How Gramm handles your data.

Infrastructure providers, encryption posture, access controls, and the documents available to your security team during review.

Infrastructure providers and security documents.

The infrastructure vendors below carry their own independent attestations. Gramm security documentation is available during procurement review via security@gramm.ai.

Vercel

Application hosting & edge delivery

SOC 2 Type II
Supabase

Database & authentication

SOC 2 Type II
Upstash

Caching & rate limiting

SOC 2 Type II
Stripe

Payment processing

PCI DSS Level 1

How your data is protected at every step.

Encryption

TLS 1.3 enforced in transit. AES-256 encrypted storage at rest. No plaintext connections accepted.

Access controls

Authentication required on all endpoints. Row-level security on every table. Service access restricted to backend routes only.

API key storage

Keys stored as SHA-256 hashes. Plaintext shown once on creation, never stored or logged after that.

Forecast delivery

Precomputed on schedule and served from cache. API queries do not trigger model inference. No customer-specific training.

Availability

99.9% monthly uptime target across Developer, Team, Growth, and Enterprise plans. Service credits available under negotiated Enterprise terms; see SLA for measurement and remediation.

Data residency

All customer data, accounts, API keys, forecast metadata, is stored in the United States on Supabase (AWS US regions) and served via Vercel's North American edge. No data leaves US infrastructure.

What your procurement and security teams get.

Gramm supports vendor review from day one. Send your security questionnaire and we will complete it with current controls, architecture materials, and infrastructure documentation.

Available on request

Security questionnaire responses (SIG-lite format)
Subprocessor list and vendor attestations
Data Processing Addendum (DPA) template
Infrastructure architecture documentation
Encryption and data handling details
Incident response and notification policy
Master Services Agreement (MSA) template with redlines welcome
Named engineering contact for follow-up questions

Review materials

Keep security review connected to the buying path.

Security materials are one part of the evaluation package. Buyers can move from controls to service levels, procurement answers, and enterprise onboarding without changing context.

Request security packageRequest a demo
Trust center

Infrastructure providers, encryption, access controls, and available security materials.

Service levels

Support tiers, availability targets, incident communication, and Enterprise terms.

Procurement FAQ

Vendor review sequence, required inputs, documents, and response expectations.

Enterprise

SSO, custom delivery, negotiated SLA, onboarding, and named engineering contact.

Ready for a security review?

Send your questionnaire or schedule a call. We respond to security review requests within two business days.

Request security reviewProcurement FAQ