Under Development — GrieveRight is targeting an August 2026 launch. Demo videos coming soon!

Security & Privacy

Grievance records contain some of the most sensitive data in the labor movement — employee complaints, witness statements, disciplinary records, management correspondence, and legal strategy. GrieveRight protects this data with the same standards used by financial institutions and healthcare organizations.

Encryption

At rest and in transit. No exceptions.

Encryption at Rest

Every file uploaded to GrieveRight — grievance documents, witness statement attachments, complaint intake form attachments, contract uploads, and knowledge base PDFs — is encrypted before being written to storage using modern authenticated encryption.

What this means in practice:
  • Files are encrypted with a modern, high-speed cipher resistant to known attacks
  • Authenticated encryption means any tampering with stored data is automatically detected and rejected
  • Encryption and authentication happen in a single operation — no gaps in protection
  • Each encrypted file includes a hash for integrity verification on every download
Per-Union Encryption Keys

Each union in the system has its own encryption key, derived from a master key using industry-standard key derivation. This means:

  • Each union's data is encrypted with its own unique key — no other union's data could ever be affected
  • Data from different unions is cryptographically separated
  • Encryption keys are stored securely on the server, never exposed to clients or stored alongside your data
In Transit

All connections to GrieveRight are encrypted with TLS 1.2+ via Cloudflare's CDN. HTTP connections are automatically upgraded to HTTPS. No unencrypted communication is ever accepted.

Cloud Storage

Encrypted files stored on enterprise-grade infrastructure.

GrieveRight's storage layer supports S3-compatible cloud backends, including Cloudflare R2 and AWS S3. All files are encrypted before they leave the application server, meaning the cloud provider itself cannot read your files. Even if someone gained access to the raw storage bucket, they would see only encrypted binary data.

Client-Side Encryption

Files are encrypted on the GrieveRight server before upload to cloud storage. The cloud provider only stores encrypted bytes.

Integrity Verification

Every file has a stored hash. On download, the hash is verified to ensure no tampering or corruption occurred.

Swappable Backends

Switch between local filesystem and S3-compatible cloud storage without any changes to your data or workflow.

Privacy by Design

Your data is your data. Period.

Privacy is not an afterthought in GrieveRight. It is the foundation of the architecture. The federated model is itself a privacy mechanism — data isolation between unions and between locals is enforced at the database query level, not just the application level.

Organizational Privacy
  • Union isolation: Different unions cannot see each other's data. Separate encryption keys, separate queries, separate everything.
  • Local isolation: Locals within the same union cannot see each other's data. Local 100 and Local 200 are completely invisible to each other.
  • National restrictions: National staff see only metadata for local grievances that have reached their level. Full access requires explicit consent from the local.
  • Admin boundaries: Union admins cannot manage local users. Local admins cannot manage national users. Each admin level has clear boundaries.
Individual Privacy
  • Grievant data: Grievant personal information is visible only to users with access to their cases. Stewards cannot see other stewards' grievants.
  • Witness statements: Submitted through token-based links that expire. Witness identity and statement content are protected within the case file.
  • Confidential content: Documents and logbook entries can be marked confidential, restricting access to the author and explicitly granted users.
  • Notification preferences: Users control their own notification channels (email, SMS). Opt-in, not opt-out.
AI Privacy

The AI writing assistant is an optional feature that can be disabled entirely per deployment. When enabled, the AI processes grievance descriptions and contract text to provide suggestions. AI requests are rate-limited (20/hour per user), responses can be cached to minimize external API calls, and your union chooses the AI provider (OpenAI, Anthropic, or Google) based on your privacy requirements. The AI does not store your data, does not train on your data, and does not share your data with third parties. Every AI interaction is scoped to the individual grievance — it does not cross-reference between cases or users.

Authentication & Access Control

Multi-layer security from login to every action.

Password Security

Passwords are hashed with industry-standard algorithms — we never store your actual password. Password reset tokens expire after 1 hour. Account activation links expire after 72 hours. Rate limiting on login attempts prevents brute-force attacks.

Two-Factor Authentication

Three 2FA methods: authenticator apps (TOTP), SMS codes, and email verification. Recovery codes for backup access. Trusted devices remembered for 30 days. Union-wide enforcement available for administrators.

CSRF Protection

Every form submission is protected against cross-site request forgery. Per-session tokens are generated and verified on every POST request. No action can be triggered by an external site.

Policy-Based Authorization

Every entity type (grievance, contract, user, document, etc.) has its own authorization policy class. Access checks are centralized and consistent. No ad-hoc permission checks scattered through the code.

Rate Limiting

Configurable per-action rate limits protect against abuse. Login, signup, file uploads, AI requests, email sending, and API endpoints are all rate-limited with per-user or per-IP scoping.

Tenant Isolation

Every request is scoped to the user's union and local. This isolation is enforced at the data layer, not just the interface. Cross-tenant data access is architecturally impossible.

Immutable Audit Trail

Every action is logged. Nothing is deleted.

GrieveRight maintains an immutable audit log of every significant action in the system. Audit entries are append-only — they can never be modified or deleted, even by administrators. This provides a complete, tamper-proof record of who did what, when, and what changed.

What Gets Logged
  • Grievance creation, editing, advancing, remanding, and resolution
  • Document uploads, downloads, and deletions
  • Visibility grants and revocations
  • User creation, role changes, and capability modifications
  • Deadline completions, extensions, and waivers
  • Handoffs and reassignments
  • Billing events (subscription changes, seat updates)
  • Login/logout events and access patterns
Field-Level Change Tracking

When a record is updated, the audit log captures exactly which fields changed, what the old values were, and what the new values are. This provides a complete history of every modification, not just "something changed."

What Is Never Logged
  • Passwords, password hashes, or reset tokens
  • API keys or encryption keys
  • Two-factor authentication secrets or recovery codes

Data Ownership & Portability

Your data belongs to your union. Always.

We believe in radical data ownership. Your union's grievance records, documents, messages, and case history belong to you — not to us. GrieveRight is a tool you use, not a vault you're locked into. Here is exactly what that means:

Full Data Export

Local administrators can request a complete export of all their data at any time. The export includes:

  • All grievance records with complete step history
  • All uploaded documents (decrypted)
  • All messages and logbook entries
  • All witness statements and intake forms
  • All RFI records and responses
  • User directory (without password hashes)
  • Audit log entries for your local
No Lock-In

If your union decides to stop using GrieveRight, you take everything with you:

  • Export before canceling: Download your complete data export before you cancel your subscription
  • Read-only after cancellation: Even after canceling, you can still log in and access your data in read-only mode
  • Standard formats: Exports use standard formats (CSV, JSON, PDF) that can be imported into other systems
  • No data destruction: We do not delete your data when you cancel. You maintain access to download your records.

Infrastructure Security

Multiple layers of protection between your data and the internet.

Cloudflare CDN

All traffic passes through Cloudflare's global network. DDoS protection, TLS termination, and edge caching for static assets.

Cloudflare Turnstile

Public forms (signup, contact, complaint intake) are protected by Cloudflare Turnstile CAPTCHA to prevent automated abuse.

Injection Prevention

All data access is protected against injection attacks at the platform level. User input is never treated as executable code.

Output Sanitization

All user-provided data is sanitized before display. Cross-site scripting attacks are prevented at the platform level, not left to chance.

Automatic Backups

Daily automated backups of all data and encrypted files. If something goes wrong, your grievance records can be restored quickly and completely.

Session Security

Sessions are revalidated every 5 minutes. Session data is stored server-side. Session tokens are regenerated on login to prevent fixation attacks.

Your Grievance Data Deserves Real Protection

Join the unions that trust GrieveRight to keep their most sensitive records safe. Every plan includes the full security stack — no tiers, no add-ons.

Contact Us