KeepGrid
Run Audit

Security

Last updated: 2026-05-16

We treat security seriously because we're asking you to connect a bot to your community. Here's what we do, what we use, and how to reach us if you find an issue.

Security Posture

Infrastructure

  • Hosting: Vercel with TLS 1.3, HSTS, automatic SSL renewal.
  • Database: Neon PostgreSQL with encryption at rest (AES-256) and in transit (TLS).
  • Payments: Stripe (PCI DSS Level 1). We never see card numbers — only customer IDs and session IDs for reconciliation.
  • AI: Anthropic API over HTTPS. Claude Sonnet 4 with server-side rate limiting.
  • Secrets: Stored exclusively in Vercel encrypted environment variables. Never in code, never in client bundles.

Authentication

  • Sessions: HttpOnly, Secure, SameSite=Strict cookies. 30-day expiry.
  • Discord OAuth: CSRF state parameter validated on callback. No auto-linking by email to prevent takeover attacks.
  • Session tokens: 32-byte cryptographically random values, stored hashed server-side.

Application layer

  • Input validation: Zod schemas on every API route. No raw database writes.
  • XSS: All rendered markdown sanitized with DOMPurify before display.
  • SQL injection: Mitigated via Prisma ORM with parameterized queries throughout. We do not assemble raw SQL from user input.
  • Prompt injection: User input wrapped in <server_context> tags with explicit model instructions to treat it as untrusted reference data.
  • Rate limiting: Per-IP limits on expensive endpoints:
    • AI preview: 5/10 min
    • Full generation: 3/hour
    • Discord API scan: 10/5 min
    • Paid doc regenerate/retry: 3/hour after ownership checks
    • Manual Pro Ops Scan: 10/hour for paid projects
  • Stripe webhooks: Signature verified + idempotency guard on every event.
  • Discord invite validation: Strict URL parser, host allowlist (discord.gg, discord.com). Rejects anything else.

Discord bot

  • Minimal permissions: We request only what's needed. Full breakdown at /bot-permissions.
  • No message content intent: Bot cannot see messages.
  • No member intent: Bot doesn't track or cache member data.
  • Preflight before writes: dry-run install plans now show mode scope, channel/role capacity checks, rollback coverage, docs-only target warnings, and Discord role-hierarchy guidance before anything is changed.
  • No Administrator role creation: KeepGrid creates staff/VIP/member roles as labels with zero guild-wide permissions and controls access through channel overwrites. Human admin roles stay a manual Discord decision.
  • Idempotent operations: Re-running install is designed to skip items that already exist by name, so re-runs don't duplicate channels/roles. We recommend a test server for first runs.
  • No background writes: The bot never modifies your server automatically. Writes happen only after explicit user actions: Install, Re-install, Roll back, or a Pro Fix Button you clicked and confirmed in a modal. Every write is audit-logged with full before/after state and is one-click revertible.
  • Pro scheduled scans are read-only: weekly scans read channel/role/permission metadata via Discord's public API to compute your Ops Score and detect drift. Schedule scans cannot create, edit, or delete anything — they only surface findings. Acting on a finding still requires you to click Run Fix and confirm.
  • Pro Fix Buttons: each Fix Button checks the bot's permissions, opens a confirmation modal listing the exact change, and writes an audit-log row before mutating Discord. Discord's native server audit log also receives an X-Audit-Log-Reason attribution. Reverts replay the captured before-state.
  • Ticket SLA tracking is metadata-only: open/stale/breach computed from thread timestamps, category, archived/locked flags. Message bodies are never read or stored. Discord's privileged Message Content intent is not requested at all.

Automated Testing

Every deploy runs:

  • 100+ Jest tests covering document generation, AI fallback, input validation, markdown rendering, permissions, and UI safety.
  • TypeScript strict mode — no implicit any, no untyped boundaries.
  • Next.js build validation — fails on broken imports, bad routes, or invalid metadata.

Data Handling

  • Encryption: TLS 1.3 in transit, AES-256 at rest.
  • Minimal collection: We only store what we need to deliver the product. See /privacy for the full list.
  • No training on your data: Per Discord Developer Policy, we never use your data to train AI models.
  • Right to delete: One email removes everything. See /data-deletion.

Responsible Disclosure

Found a vulnerability? Please report it to ops@keepgrid.net. Include:

  • Steps to reproduce
  • Impact / affected endpoints
  • Your contact info (so we can credit you if you want)

We'll respond within 24 hours and work with you on coordinated disclosure. Please don't publicly disclose until we've had a chance to fix.

What You Should Do

  • Use a dedicated Discord account if you're setting up a server for a client.
  • Review bot permissions after install and remove anything you don't need going forward.
  • Keep your Discord OAuth session secure — don't share screen while your dashboard is open.
  • Report anything suspicious immediately to the contact above.

Past Incidents

2026-05-16: A generated deployment artifact under a public dotfile path was found during an internal audit and removed the same day. We added proxy-level dotfile blocking, production smoke checks for sensitive paths, and a provider credential-rotation checklist. Operational status updates live on /status and shipped fixes are logged on /changelog.

Compliance

  • GDPR: data portability, deletion, and rectification supported.
  • CCPA: California privacy rights honored.
  • Discord Developer Policy: compliant. We never scrape, store message content, or use Discord data for AI training.
  • Stripe: PCI DSS Level 1 via hosted checkout — we don't handle cards directly.

Contact

Security team: ops@keepgrid.net. For agency, paid creator, or studio pilot paperwork, see /business-transparency.