Crafty Security Update 2024: How We Protect Grant Data

Our infrastructure stack

Crafty runs on a modern, secure stack:

• Supabase for Postgres database, authentication, and row-level security controls.
• OpenAI API integration with strict prompt redaction and response filtering.
• Stripe for payment processing.
• Hosted on Vercel with fine-grained environment secrets and regional redundancy.

All data at rest is encrypted using AES-256. Keys are managed via Supabase’s KMS with rotation policies. TLS 1.2+ secures all data in transit.

Role-based access and audit trails

Access is limited by organisational roles (Owner, Collaborator, Reviewer) with principle-of-least-privilege defaults. We log every document access and export event, available through your account audit trail (launching January 2025).

SSO via Microsoft Entra ID and Okta is now available on request. Multi-factor authentication is enforced for owner accounts.

Compliance roadmap

Responsible AI safeguards

We align our AI usage with the UK Information Commissioner’s Office AI guidance. That means:

• No training on customer data.
• Automatic redaction of personal data before prompts reach OpenAI.
• Human-in-the-loop controls with the responsible AI checklist.

Customer controls

You can export or delete applications, evidence, and prompts at any time. We retain application data for 30 days after cancellation, unless you request faster erasure. Backups are encrypted and stored in the EU.

Need a security questionnaire? Email security@hicrafty.com.

Next steps for customers

• Update your internal AI governance using our latest controls.
• Run the readiness checklist with security in mind—document roles and evidence.
• Book a security briefing with our team if you’re preparing for a funder audit.

Further information

Read our updated security whitepaper and DPIA summary in the Crafty Trust Centre (coming January 2025). Reach out via security@hicrafty.com for bespoke due diligence support.