Security Controls

GramGrow uses tenant-aware schema design, row-level security, role-based settings access, encrypted integration secrets, masked credential hints, provider fingerprints, and server-side validation for sensitive settings. The application-security taxonomy is aligned with OWASP ASVS 5.0 control areas such as authentication, access control, input validation, secrets management, logging, API protection, and data protection without claiming a completed certification.

Production and local environments are separate trust domains. Production promotion must follow local validation, CI when available, explicit human approval, guarded deploy, and post-deploy validation. Governance, supply-chain review, observability, alerting, and internal ops diagnostics support the evidence trail.

Security reports should be sent to support@gramgrow.io until a dedicated security mailbox and coordinated disclosure policy are published. The target first response for launch-stage reports is two business days. Incident handling must avoid exposing secrets and should preserve evidence, impact, affected tenants, mitigation, customer communication, and follow-up actions.