Secure grants software

Best practice security measures that protect you,
your organisation and your program participants.
Safe, secure and private. 

No credit card required | 14-day free trial | Cancel anytime

One of the most secure grants management software solutions worldwide. If not the most secure.


The Good Grants application and hosting stack have been architected with security practices and features built in so you’ll never have to worry about the security of your grants or scholarship data stored in Good Grants.

Multi-factor authentication (MFA)

Server security

Our multi-server architecture is secured in a Virtual Private Cloud (VPC). There is no access via FTP. Server access is only possible by authorised staff via SSH key-based authentication through VPN access to our VPC.

Access to our AWS infrastructure is only available to authorised Good Grants staff and is governed by Identity and Access Management (IAM) and multi-factor authentication (MFA).

Multi-factor authentication (MFA)

Physical security

All our application stack physical infrastructure and data storage is within Amazon Web Services (AWS) data centres in the EU. AWS data centre and network architecture are built to comply with stringent global standards such as SOC 1, SOC 2, SOC 3, and Cloud Security Alliance Controls. These standards meet the requirements of the most security-sensitive organisations.

AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems and other electronic means.

Multi-factor authentication (MFA)

Data encryption

In keeping with best-practice security, all data at rest (in our databases and media stores) is stored encrypted. All data in transit (including login credentials) is protected using TLS 1.2 (https) by default, with (AES)-256 bit encryption and SHA-256 signed certificates.

Multi-factor authentication (MFA)

Encrypted personal data

Personal data, sometimes referred to as Personally Identifiable Information (PII), is information that can be used to uniquely identify, contact or locate a single individual. Keeping PII secure is dictated by various regulations and privacy laws internationally. Additional layers of encryption can be applied for elevated security on sensitive data fields. 

Multi-factor authentication (MFA)

Role and permission-based access control

Good Grants has an extensible system for defining user roles and associated system use permissions so that users can only access functionality they’re permitted to, whether they be applicants, assessors or grant managers.

Multi-factor authentication (MFA)

Optional multi-factor authentication

Individual users can choose to increase protection of their account against unauthorised access by enabling multi-factor authentication (MFA). MFA can also be required for specific roles with elevated access levels.

The primary authentication method after password is a Time-based One-Time Password (TOTP). Backup recovery methods include recovery codes and SMS.

Multi-factor authentication (MFA)


User account access is password protected. Passwords are stored with one-way bcrypt hashing. As a result, the original password can never be read, seen or recovered by anyone, even those with direct access to the system database. 

A minimum password length of 12 characters is enforced. We do not have a minimum complexity requirement as that has been demonstrated to reduce security.

Multi-factor authentication (MFA)


Good Grants performs rigorous security testing including risk analysis, automated scanning, and third-party vulnerability and penetration testing. In the unlikely event a security incident or data breach occurs, we have a best-practice resolution path in place and will alert account owners by email immediately.

If clients wish to perform their own penetration testing, we will be happy to facilitate this on a special-purpose non-production clone stack by arrangement. Our most recent penetration testing certificate is available on request.


Good Grants is extremely privacy conscious. Our staff work together to handle your data responsibly and ensure your right to privacy is maintained at all times. Our product is also designed to help you comply with local privacy laws by offering choice in data storage region. 

Multi-factor authentication (MFA)

Data residency

When it comes to your data hosting location, you have the freedom to choose between several supported regions.
Learn more about our data residency feature

Multi-factor authentication (MFA)

Data handling

We’ve developed and implemented comprehensive processes, privacy safeguards and ongoing training for our teams to ensure we are following best-practice data handling procedures. 

Multi-factor authentication (MFA)

Privacy policy

Learn more about our privacy policy as mandated by our parent company, Creative Force.

Data regulation compliance

Good Grants is packed full of features to help you maintain compliance with requirements under the various regulations listed below. Our team regularly works to expand our compliance coverage to help you meet your compliance needs.

Multi-factor authentication (MFA)

General Data Protection Regulation (GDPR)

GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018.

GDPR replaces national privacy and security laws that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.

Read more about the GDPR



Lei Geral de Proteção de Dados (LGPD)

The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law that went into effect on 18 September 2020, but enforcement will not start until August 2021. Like the GDPR, it regulates the collection, use, processing, storage, and transfer of personal data of Brazil data subjects. 

Good Grants is committed to complying with the requirements of the LGPD, and we will analyze the requirements of this new law and update our policies and materials where needed.

Read more about the LGPD

Multi-factor authentication (MFA)

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act is applicable to California residents and is effective from 1 July 2020. Good Grants recognises California has recently passed an addendum to the CCPA known as the California Privacy Rights Act (“CPRA”). As with the LGPD, we will analyze the additional requirements and update our policies and materials where needed. 

Read more about the CCPA

Multi-factor authentication (MFA)

Australian Privacy Principles

The primary legislation that governs privacy in Australia is the Privacy Act 1988 (Cth). The cornerstone of the Act is the Australian Privacy Principles (APP). These principles replaced the previous National Privacy Principles in March 2014.

Read more about the APP



Grants, scholarships and corporate-giving programs deal in integrity, stability and trust and are mission critical projects. As such, Good Grants has been architected and is maintained to be as dependable as possibile. We are committed to delivering a service which is stable, secure at scale, readily available and recoverable. 

Multi-factor authentication (MFA)

Business continuity and disaster recovery

In the event of a disruption to our operations, our business continuity and disaster recovery plan is in place and ensures minimal impact on our clients and their programs.

Multi-factor authentication (MFA)

Stable foundation

Good Grants is built on industry-leading cloud infrastructure from AWS. It is designed with redundancy and failover systems, and is dependable and optimised for performance.

Multi-factor authentication (MFA)


Good Grants is built to respond to increased client data and user loads, fast. Our platform performs consistently and predictably, even under high volumes. 

Multi-factor authentication (MFA)


Since inception, Good Grants clients have enjoyed more than 99.99% service availability. The majority of downtime was for scheduled maintenance, which we communicated well in advance. We hold ourselves to these high standards on an ongoing basis.

Multi-factor authentication (MFA)

Status transparency

Real-time system status, detailing the status of various components of the platform as well as the platform as a whole, is readily available from our open and publicly accessible status page.

Certifications + documentation

Use our responses to the CAIQ to fast track your assessment of our security profile or download our IEC/ISO 27001 or PCI-DSS attestation certificates below.

CAIQ v3.1 logo

The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency.

Download our CAIQ response


The Higher Education Community Vendor Assessment Tool (HECVAT) is a security assessment template that attempts to generalise higher education information security and data protection questions. It is the higher education equivalent of the CAIQ.

Download the certificate


Good Grants is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), please find our attestation below.

Download the certificate


Good Grants has been independently audited and verified to fulfil the requirements of the ISO / IEC 27001 : 2013 standard.

Download the certificate

Frequently asked questions

Good Grants uses Amazon Web Services (AWS) infrastructure to host the system. Our application and database servers are located in the European Union, the United States of America and Australia. For security reasons, Amazon does not publish the physical locations of their data centres.

Yes, custom domains are available on the Premium plan.

The Good Grants application is packed full of features to help clients maintain GDPR, CCPA, LGPD and APP compliance.

Yes, our ISO 27001 certificate and PCI-DSS attestation is freely available above and we are more than happy to pass along our most recent penetration test results. Please get in contact if you'd like to receive a copy.