Security & Compliance

EffortGuard handles federal research compliance data. Our controls are built to that standard.

Encryption

TLS 1.2+ in transit. AES-256 at rest on all primary data stores.

Access Control

Role-based access (Owner, Admin, PI, Compliance, Viewer). API keys hashed with SHA-256. OAuth 2.0 for third-party integrations.

Data Isolation

Row-level security enforces institution scoping on every query. No cross-tenant access.

Audit Trail

Every read, write, and admin action recorded with actor, timestamp, and payload for 2 CFR §200.303 evidence.

Incident Response

Documented incident register. Notification within 72 hours of confirmed customer-data incidents.

Records Retention

Three-year retention on effort records, flags, and audit logs per 2 CFR §200.333. Retention locks on closed periods.

Infrastructure

EffortGuard runs on hardened cloud infrastructure with Supabase as the primary data store, deployed across isolated production environments with automated patching and 24/7 monitoring.

SOC 2 alignment

Our control framework maps to the SOC 2 Trust Services Criteria across Security, Availability, Confidentiality, and Privacy. Customer-facing SOC 2 module exposes access reviews, vendor register, incident log, and backup status. SOC 2 reports are available to Enterprise customers under NDA.

Federal regulation coverage

  • 2 CFR §200.303 — internal controls evidence via audit trail
  • 2 CFR §200.308 — prior approval alerts at ≥25% effort reduction
  • 2 CFR §200.333 — three-year records retention with period locks
  • 2 CFR §200.430 — pre-certification effort gap detection
  • NIH GPS §9.2 — 76% key personnel effort threshold alerts (NIH only)

Backups & disaster recovery

Daily encrypted database backups with point-in-time recovery. Backup integrity tested on a recurring schedule. RPO 24 hours, RTO 4 hours for production data.

Sub-processors

Supabase Inc. (database), Anthropic PBC (AI features), Cloudflare Inc. (hosting & edge), Stripe Inc. (payment processing). All sub-processors are evaluated under our vendor risk register.

Report a vulnerability

Email security@effortguard.com with reproduction steps. We acknowledge within 2 business days and coordinate disclosure with reporters in good faith.