Back to App
Legal & Policies

Security Policy

Effective: March 1, 2025Last Updated: March 20, 2026Version 1

Security Policy

Company: RavDev Technologies, LLC Effective Date: March 1, 2025 Last Updated: April 4, 2026 Contact: legal@ravdevtech.com
This policy is provided for informational purposes. Consult legal counsel for jurisdiction-specific compliance.

1. Our Commitment to Security

RavDev Technologies, LLC takes the security of your data seriously. We implement a defense-in-depth security architecture designed to protect the confidentiality, integrity, and availability of your information and the NextGen Grant OS platform.

2. Encryption

2.1 Encryption in Transit

All data transmitted between your browser or API client and our servers is encrypted using TLS 1.3. Connections using TLS 1.2 are accepted for compatibility; older, deprecated protocols (SSL, TLS 1.0, TLS 1.1) are not supported.

2.2 Encryption at Rest

Customer data stored in our databases is encrypted at rest using AES-256 encryption. Sensitive fields (such as PII and financial data) receive additional AES-256-GCM field-level encryption before being written to the database. Backups are encrypted prior to storage.

2.3 Key Management

Encryption keys are managed using a cloud key management service (KMS) with role-based access controls, automated rotation, and audit logging. Keys are never stored alongside the data they protect.

3. Access Control

3.1 Role-Based Access Control (RBAC)

The Service implements a comprehensive RBAC system with the following roles:

  • System Admin: Full platform access and administrative functions
  • Grant Director: Organization-wide access with management capabilities
  • Grant Writer: Access to assigned proposals and discovery tools
  • Compliance Officer: Compliance features and reporting access
  • Finance Officer: Budget and financial data access
  • Principal Investigator: Research proposal access with review capabilities

Access is granted on the principle of least privilege — users receive only the access required for their role.

3.2 Authentication

  • All user accounts require a password meeting minimum complexity requirements
  • Passwords are stored as bcrypt hashes — we never store plaintext passwords
  • Multi-factor authentication (MFA) is supported via TOTP (RFC 6238) authenticator apps and is strongly recommended
  • Enterprise customers may require MFA via organizational SSO policy
  • Sessions expire after periods of inactivity

3.3 Single Sign-On (SSO)

Enterprise customers may configure SAML 2.0-based SSO with their identity provider. SSO integration enforces your organization's authentication policies including MFA requirements and access controls.

4. Infrastructure Security

4.1 Hosting Environment

The Service is hosted on enterprise-grade cloud infrastructure with:

  • Network isolation and segmentation
  • Firewall rules and security groups limiting access to necessary ports and services
  • DDoS protection at the network and application layers
  • Infrastructure-as-code with version-controlled configurations

4.2 Database Security

  • PostgreSQL databases are not publicly accessible
  • Database connections require TLS
  • Database access is restricted to application service accounts with minimal required permissions
  • Vector database (pgvector) for AI embeddings is isolated within the same secure environment

5. Application Security

5.1 Secure Development

We follow secure software development lifecycle (SDLC) practices:

  • All code undergoes peer review prior to deployment
  • Automated static analysis and dependency vulnerability scanning on every commit
  • Security-focused code review for authentication, authorization, data handling, and input validation

5.2 Input Validation

All user inputs are validated and sanitized server-side. We employ parameterized queries to prevent SQL injection and output encoding to prevent cross-site scripting (XSS) attacks.

5.3 Rate Limiting and Abuse Prevention

API endpoints and authentication flows are protected by rate limiting. Brute-force attacks on login are detected and blocked automatically.

6. Logging and Monitoring

We maintain comprehensive security logging including:

  • Authentication events (logins, failures, MFA)
  • Authorization events (access grants and denials)
  • Data access and modification events
  • Administrative actions
  • API usage patterns

Logs are retained for a minimum of 365 days and are protected from tampering. Automated alerting monitors for suspicious patterns including failed authentication spikes, unusual data access volumes, and API abuse.

7. Vulnerability Management

  • Infrastructure and application dependencies are scanned continuously for known vulnerabilities
  • Critical vulnerabilities (CVSS 9.0+) are patched within 24 hours
  • High vulnerabilities (CVSS 7.0–8.9) are patched within 7 days
  • Medium vulnerabilities are patched within 30 days
  • Low vulnerabilities are tracked and addressed in regular release cycles

8. Incident Response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. In the event of a security incident affecting your data:

  • We will notify affected customers without undue delay and no later than 72 hours after becoming aware of the incident (as required by GDPR) or within timeframes required by other applicable laws
  • Notifications will describe the nature of the incident, categories and approximate number of records affected, likely consequences, and measures taken or proposed
  • A designated incident response team is on-call 24/7 for critical security events

9. Backup and Disaster Recovery

  • Customer data is backed up daily to geographically separate storage
  • Backups are encrypted and access-controlled
  • Backup restoration is tested quarterly
  • Our Recovery Point Objective (RPO) target is 24 hours
  • Our Recovery Time Objective (RTO) target is 4 hours for critical systems

10. Third-Party Security

All third-party vendors and subprocessors with access to customer data undergo security review before onboarding. We require:

  • Documented security controls and policies
  • Vendor SOC 2 Type II report or equivalent security certification (on request)
  • Data processing agreements (DPAs) with appropriate security and confidentiality obligations
  • Annual re-assessment for ongoing engagements

11. Responsible Disclosure

If you discover a potential security vulnerability in our Service, we ask that you report it responsibly:

  • Email: legal@ravdevtech.com (subject: "Security Vulnerability Report")
  • Please include a description of the vulnerability, steps to reproduce, and potential impact
  • We will acknowledge your report within 48 hours and provide a remediation timeline
  • We will not take legal action against individuals who report vulnerabilities in good faith

12. Compliance Certifications

RavDev Technologies is working toward and committed to the following compliance frameworks:

  • SOC 2 Type II readiness (Security, Availability, Confidentiality)
  • NIST SP 800-53 (Federal Information Security Controls)
  • 2 CFR Part 200 (Uniform Guidance for Federal Awards)
  • GDPR (EU General Data Protection Regulation)
  • CCPA/CPRA (California Consumer Privacy Act)

13. Contact

For security concerns or questions about our security practices:

RavDev Technologies, LLC

Security Team: legal@ravdevtech.com (subject: "Security Inquiry") Support: support@ravdevtech.com