Security & Compliance
EffortGuard handles federal research compliance data. Our controls are built to that standard.
TLS 1.2+ in transit. AES-256 at rest on all primary data stores.
Role-based access (Owner, Admin, PI, Compliance, Viewer). API keys hashed with SHA-256. OAuth 2.0 for third-party integrations.
Row-level security enforces institution scoping on every query. No cross-tenant access.
Every read, write, and admin action recorded with actor, timestamp, and payload for 2 CFR §200.303 evidence.
Documented incident register. Notification within 72 hours of confirmed customer-data incidents.
Three-year retention on effort records, flags, and audit logs per 2 CFR §200.333. Retention locks on closed periods.
Infrastructure
EffortGuard runs on hardened cloud infrastructure with Supabase as the primary data store, deployed across isolated production environments with automated patching and 24/7 monitoring.
SOC 2 alignment
Our control framework maps to the SOC 2 Trust Services Criteria across Security, Availability, Confidentiality, and Privacy. Customer-facing SOC 2 module exposes access reviews, vendor register, incident log, and backup status. SOC 2 reports are available to Enterprise customers under NDA.
Federal regulation coverage
- 2 CFR §200.303 — internal controls evidence via audit trail
- 2 CFR §200.308 — prior approval alerts at ≥25% effort reduction
- 2 CFR §200.333 — three-year records retention with period locks
- 2 CFR §200.430 — pre-certification effort gap detection
- NIH GPS §9.2 — 76% key personnel effort threshold alerts (NIH only)
Backups & disaster recovery
Daily encrypted database backups with point-in-time recovery. Backup integrity tested on a recurring schedule. RPO 24 hours, RTO 4 hours for production data.
Sub-processors
Supabase Inc. (database), Anthropic PBC (AI features), Cloudflare Inc. (hosting & edge), Stripe Inc. (payment processing). All sub-processors are evaluated under our vendor risk register.
Report a vulnerability
Email security@effortguard.com with reproduction steps. We acknowledge within 2 business days and coordinate disclosure with reporters in good faith.