Grounded

Security

How Grounded keeps your data safe.

Security is fundamental to how Grounded operates. This page covers our security practices and controls.

Data Protection

Encryption

  • In transit: All data encrypted with TLS 1.3
  • At rest: Database encrypted with AES-256
  • API keys: Hashed and never stored in plain text

Data Isolation

  • Each customer's data is logically isolated
  • Row-level security in the database
  • No cross-customer data access possible

Infrastructure

Hosting

  • Hosted on Vercel (frontend) and Supabase (backend)
  • SOC 2 Type II compliant infrastructure
  • Regular security audits

Availability

  • 99.9% uptime SLA
  • Automatic failover
  • Global CDN distribution

Access Control

Authentication

  • Secure authentication via Supabase Auth
  • Support for email/password and OAuth
  • Session tokens with secure expiration

API Security

  • Unique API keys per chatbot
  • Keys can be rotated anytime
  • Rate limiting prevents abuse

Widget Security

Domain Restrictions

Limit where your widget can be embedded:

  1. Go to Settings > Security
  2. Add domains under Allowed Domains
  3. Only listed domains can use your API key

Add both your production domain and any staging/development domains you use.

Content Security

  • Widget loaded via HTTPS only
  • No third-party tracking scripts
  • Minimal data collection

AI Safety

Prompt Injection Protection

All user inputs are sanitized to prevent:

  • System prompt manipulation
  • Role confusion attacks
  • Data extraction attempts

Response Safety

  • AI cannot access external systems
  • Responses limited to knowledge base content
  • No execution of user-provided code

Hallucination Prevention

  • Low confidence triggers refusal
  • All claims must have source citations
  • Semantic verification of responses

Compliance

Data Residency

  • Primary data storage in US
  • EU data residency available on request
  • Contact us for specific requirements

Privacy

  • GDPR compliant
  • No sale of customer data
  • Data deletion available on request

Certifications

  • SOC 2 Type II (via infrastructure providers)
  • Additional certifications available for enterprise

Reporting Issues

Security Vulnerabilities

Report security issues to: security@grounded.sh

We commit to:

  • Acknowledging reports within 24 hours
  • Providing updates within 72 hours
  • Not pursuing legal action for good-faith reports
Previous Human Handoffs Next Team Management