Bit & GrainBit & Grain
Trust & security

Your data, protected.

How we handle your business data, plainly. No security theater, no jargon, no hidden caveats.

Where your data lives

Your data sits on AWS infrastructure in the US west-1 region (Northern California), managed by Supabase, our database provider. AWS US west-1 is a SOC 2-compliant facility operated by Amazon; Supabase is SOC 2 Type II certified for the database layer they operate. Your business data never leaves the US.

Encryption

Your data is encrypted when it's sitting on disk in the database. Receipts, photos, and other file uploads are encrypted at rest in Amazon S3 object storage. Network traffic between your browser and our servers uses HTTPS (TLS 1.2 or higher), the same encryption your bank uses.

Per-business isolation

Each Bit & Grain business has its own row-level isolation, meaning the database itself enforces that you can only ever see your own business's data, not someone else's. It's enforced at the database layer, not the application layer, so even a bug in our code can't leak another business's data into yours.

Authentication

Sign in with Google or with email + password. Passwords are hashed using bcrypt (the industry-standard one-way hashing function, even we can't see your actual password). Login sessions last 30 days, then require you to sign in again. Two-factor authentication is on the roadmap for Q3 2026.

Account deletion

Request deletion from your account settings. Your data is removed from our active database within 30 days of the request. Backups roll off in another 30 days. Total: 60-day end-to-end deletion window. You can export everything via CSV before you delete, your data is yours.

Backups

Database backups run daily and are stored in AWS US west-1. Point-in-time recovery is enabled on production, meaning if something catastrophic happened (a bad migration, a regional outage), we can restore the database to any specific moment in time within the past 7 days. We've never had to use this in production, but it's there.

Compliance posture (read this honestly)

We are not SOC 2 certified, ISO 27001 certified, or HIPAA-compliant today. Bit & Grain is a pre-launch product. Pursuing formal compliance certifications takes 12-18 months and significant spend, and right now we'd rather put that money into shipping the product.

When we have enterprise customers who need formal certifications - customers whose own compliance program requires their vendors to be SOC 2, we'll start the SOC 2 Type II process. We're transparent about the timeline.

If you need a security questionnaire answered for your due-diligence process today, email security@bitandgrain.app and we'll work through it with you directly.

How to report a security concern
If you find a security issue in Bit & Grain, please email security@bitandgrain.app. We respond to legitimate reports within 48 hours. Please don't post security issues publicly until we've had a chance to respond and ship a fix.

Have a different security or trust question? Email security@bitandgrain.app or reach out via contact.

Ready to start with confidence?

Free to start. $29/mo for Pro. Your data lives on AWS, encrypted, isolated, and yours to export anytime.

Start Free