Trust & Security

Trust is at the heart of what we do. As a community-run nonprofit, we earn it through transparency, minimal data collection, and practical security. Here’s exactly how.

Our Principles

• Collect only what we need. See our Privacy Policy for the full list.
• No ad tracking. No analytics services, no ad pixels, no behavioral profiling on this site.
• No tracking cookies. We only use localStorage for your light/dark mode preference — it stays on your device and is never sent to us. Cloudflare may set essential security cookies (like __cf_bm for bot management); those are outside our control and covered by Cloudflare’s privacy policy.
• Open source. Our website code is published under the MIT License so anyone can review it.

Website Security

Our website is hosted on Cloudflare Pages — a static site with additional security best practices applied.

Organizational Security

• Multi-factor authentication — Enabled for all accounts when and where possible as a minimum best practice
• Least-privilege access — Reviewed regularly
• Volunteer screening — Board members and moderators are vetted through a review process

Privacy in Practice

• No analytics, ad pixels, or behavioral profiling
• All fonts self-hosted — no data leaves our infrastructure for font delivery
• No social share buttons that track visitors
• Cloudflare processes standard request data to run the site; we don’t access or store those logs
• Third-party services (e.g., NeonOne) operate under written data processing agreements

Security Contact

Found a vulnerability? Report it responsibly — please don’t publicly disclose before we respond.

• Security reports: security@studygrc.org
• Abuse or policy violations: abuse@studygrc.org
• Security.txt: /security.txt

We acknowledge security reports within 72 hours and share a fix timeline within five business days.

Responsible Disclosure

1. Report the vulnerability privately
2. We acknowledge receipt within 72 hours
3. We investigate and fix the issue
4. We notify you when the fix is deployed
5. We credit reporters who want public acknowledgment

We will not take legal action against researchers who follow this process in good faith.

Compliance

• GDPR — We honor EU/EEA and UK data subject rights
• COPPA — We don’t knowingly collect information from children under 13
• WCAG 2.2 AA — Our website targets WCAG 2.2 Level AA accessibility
• 501(c)(3) — Our financials are publicly available on the Transparency page
• CISA CPG 2.0 — The Cybersecurity and Infrastructure Security Agency’s Cybersecurity Performance Goals guide our security best practices. As resources allow, we plan to map to the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF 2.0), then the more detailed NIST SP 800-53 controls, and eventually the international ISO 27001 standard — with volunteer help.

Open Source

Our website code is published under the MIT License. Review it, file issues, or contribute.

• View our open documentation on GitHub (opens in new tab)
• View website source on GitHub (opens in new tab)

Contact

General: contact@studygrc.org Security: security@studygrc.org Abuse: abuse@studygrc.org