PostGrad

Trust Center

One page for everything you need to evaluate PostGrad's security, privacy, and legal posture. Links below are the canonical sources of truth.

Sub-processors

PostGrad currently uses 11 sub-processors (registry v2.0.0). See the full list with purpose, location, and data processed at /sub-processors. Customers receive at least 30 days' prior notice before any new sub-processor begins processing personal data.

Security contact

Email [email protected] for any security-related question or report. See also /.well-known/security.txt (RFC 9116).

Vulnerability disclosure policy

We welcome good-faith security research. If you believe you have found a security vulnerability in PostGrad, please email [email protected] with a description, reproduction steps, and any relevant artifacts.

Safe harbor. We will not pursue civil or criminal action against researchers who:

  • Make a good-faith effort to avoid privacy violations and disruption to others.
  • Only access data necessary to demonstrate the vulnerability.
  • Give us a reasonable window (at least 90 days) before public disclosure.
  • Do not exploit the issue beyond what is required to confirm it.

We will acknowledge valid reports within 3 business days and aim to remediate critical issues within 30 days. We do not currently run a paid bug-bounty program.

Data Processing Addendum

Our Article 28 GDPR DPA is published at /legal/dpa/v1.0.0 and is available for execution by all customers processing personal data through PostGrad.

Designated DMCA Agent

Legal entity
PostGrad LLC
Email
[email protected]
USCO registration #
PENDING

See the full DMCA notice & takedown policy at /dmca. File a notice at /dmca/submit.

Terms & Privacy

Security incident response

PostGrad maintains a documented 72-hour breach notification SLA in accordance with GDPR Article 33. Our internal breach response runbook is available to enterprise customers under NDA — request a copy from [email protected].

Data Subject Request SLAs

  • GDPR: 30 days from verified request
  • CCPA: 45 days from verified request

Authenticated customers can self-serve access, export, and deletion from /dashboard/settings/privacy.