Security at GP
Introduction
At GrantPuma, the security of your data is of paramount importance to us, and we take extensive measures to ensure that your data are safe. We use multiple layers of security at the datacenter, server, and application level to ensure that your data is kept private and secure. We aim to minimize risk by relying almost exclusively on data in the public domain. In each instance where we ask for or you submit confidential and/or proprietary data, we will make sure to give you the opportunity to review our intended use and data protection policies and measures so that you can make an informed decision before sharing anything proprietary or confidential.
If we can do better, let us know!
If we can do better, let us know!
Security
Securing Our Organization and Your Data
- Our security protocols apply to ALL data collected and used on our site, including public domain data.
- The focus of our security program is to prevent unauthorized access to your data.
- Our team of security practitioners take steps to identify and mitigate risks, implement optimal practices, and constantly improve.
- All our data, algorithms, and processes are stored on AWS, the industry-leading cloud service provider. As a result, we can guarantee:
- strict physical site security, where authorized staff must pass two-factor authentication a minimum of two times to access data center floors and contractors are escorted at all times;
- redundant power, network connectivity, fire, and flood protection;
- SOC2 compliance.
- The relevant data security and protection approaches and policies are:
- AWS Data Center Controls: https://aws.amazon.com/compliance/data-center/controls/
- AWS Compliance Page: https://aws.amazon.com/compliance/
- AWS Services in Scope by Compliance Program: https://aws.amazon.com/compliance/services-in-scope/
- Our goal is to catch any holes in our security design before they result in a problem. Our effort to ensure that your data is safe is ongoing.
- Our team of security practitioners take steps to identify and mitigate risks, implement optimal practices, and constantly improve.
- Our goal is to catch all the holes in our security design. Mistakes do happen so we’ve created a system to track down and help us deal with breaks in our armor. We are working nonstop to ensure that your proprietary and confidential data is 100% safe. To see an outline of our process, check out the resources page.
Servers
GrantPuma systems were architected to take full advantage of the industry-leading AWS ecosystem. Our cloud architecture ensures the highest level of security, availability, and durability.
- Servers are hosted in a Virtual Private Cloud, or VPC. This means that the servers themselves are completely invisible to the public internet. You can’t attack what you can’t see.
- All connectivity to the servers must pass through specially engineered load balancers and firewalls, creating security chokepoints. All traffic is forced through encrypted channels such as SSH, SFTP, and HTTPS.
- All admin access to servers occurs via public-private key authentication, using strong keys. Intrusion Protection Systems lock users out after 3 failed logins.
- Servers are “hardened” by default at the time of provisioning, closing off unused ports and disabling unused services. Audits are run at least quarterly to ensure that no changes have been made which are outside our policies.
- Vulnerability scans are run at least monthly, sending proactive notifications to our security team if software vulnerabilities are found.
- All data is encrypted at rest, so in the unlikely event that a user gained access to the AWS drive, the data would be indecipherable.
Endpoint Security
- All workstations provided to our team are configured and vetted to submit to our standards for security. These stations are constantly monitored, configured, and updated.
- Our default configurations allow for workstations to lock when idle, encrypt data at rest, and create strong passwords.
- The workstations function on the most recent monitoring software in order to weed out and report any potential malware, mobile storage devices, and unauthorized software. Software is updated at the time of release to ensure we are always using the most up-to-date standards.
Applications
To match the security of our data centers and server instances, we have engineered GrantPuma applications with a belt & suspenders approach to security.
- Sessions timeout to prevent unauthorized access.
- All logins and logouts are logged.
- Changes made in the system are logged, including what was changed, who made the change, and when they made it.
Reliable
Through redundancy and secure software development techniques, GrantPuma maintains an uptime of over 99.99%
Self-Healing Applications
All servers are bound to fail eventually. Through redundancies and autoscaling, we ensure that your users and your data remains unaffected.
- We have no fewer than two server instances running every service, load balanced across multiple datacenters; in the event of a loss of an entire datacenter, your users would experience minimal to zero downtime.
- Performance monitors continually audit the health of our servers and applications. If a server becomes unavailable or if application performance is diminishing, the system will automatically spawn additional server instances to pick up the slack.
Privacy Policy
Data and Information We Collect
- Account login credentials, such as username and password.
- Interactions within the system such as with recommendation cards (e.g., thumbs up / down, moving cards to various folders, such as “active”, etc.).
- Content you upload to our platform, such as documents, abstracts or text, or photos.
- If applicable, payment info such as credit card number, address, name, etc.
- Data provided by third party and public services, including any public database in which you or your work are included (e.g., PubMed, NIH Reporter, NSF Award Search, etc.).
How We Collect These Data
- Through information you directly provide to us.
- Through your use of the website and activity on the site.
- Information you provide to us over the phone, in online meetings,or in person.
- Business deals and business interactions with you or your institution.
- Through public services, such as search engines and any public database in which you or your work are included (e.g., PubMed, NIH Reporter, NSF Award Search, etc.).
How We Use the Data We Collect
- Processing your information for purchases or for our use (e.g., to generate specific sites, documents, or actions in our system).
- Customizing content for you and making sure our website is curated for you specifically, which includes recommendations of potential grant opportunities.
- Improving the platform and our services through customer feedback and analysis (we highly value your feedback and appreciate all concerns you share with us!).
- Notifying you about changes to our site or to our policies via email.
- Providing support to you through FAQs, instructional posts, etc.
- Identifying usage trends to better help us create a more enjoyable experience for you, which includes changing the look of our website or the format.
- For legal obligations.
- To fulfill our commitment to you.
Your Rights
- You have the right to receive a copy of your data, electronic and/or a hard copy, upon request.
- If you find inaccuracies in your data, you may request that your data be fixed or deleted.
- You may object to the processing of your data within GrantPuma at any time if the site is not appropriately using your data.
- You may request that your data be deleted from our site at any time, for any reason. Note that this will require the closure of your account, as we cannot store your login or other information if you prohibit us from using your data.
Changes to This Notice
- Any changes made to our privacy policy will be listed here when they happen, along with the date and time the change becomes effective.
- We will also explain why the changes were made, and what you can do if you disagree with them or have concerns.
