Security & Compliance

Your data. Your infrastructure.
Your control.

Self-hosting is the security model. Your donor data never leaves your institution's controlled infrastructure. RBAC-first access control, encrypted credentials, signed webhooks, and governance attestation gates throughout.

Security Principles

Designed for institutions with real compliance obligations.

Self-hosted infrastructure
Your PostgreSQL database runs on your servers. Donor data never transits through our systems. You control backups, retention, and access. Export everything at any time with no vendor involvement.
Encrypted credential storage
Every third-party API key (Stripe, Google, Meta) is encrypted at rest using a dedicated INTEGRATION_ENCRYPTION_KEY stored separately from the application. Keys are never logged or exposed in plaintext.
Webhook signature verification
All inbound webhooks (Stripe, Resend/Svix, ACH) are verified using HMAC signatures before processing. Outbound webhooks are signed with per-endpoint secrets. Replay attacks are blocked via timestamp validation.
RBAC-first access control
Five distinct portal types (Personal, Family, Workspace, Partner Admin, EvaNeT Ops) each with independent permission sets. Roles enforced at the API layer — not just the UI. "Request Access" flows for restricted portals.
Governance attestation gates
Ad platform connections (Google Ads, Meta Ads) and GTM tracking require explicit staff attestation before activating. No audience data is synchronized without deliberate admin authorization. Full audit trail maintained.
Comprehensive audit trails
CRM activity logging records every major action: gift officer creates opportunity, staff updates donor record, admin connects advertising account, receipt issued or reissued. All webhook events stored with raw payload.
Deployment Architecture

Docker Compose stack.
Every component under your control.

The reference architecture uses Caddy as a reverse proxy for automatic SSL, Cloudflared for secure tunnel access without exposing ports, and a dedicated ops cron runner isolated from web traffic.

Caddy
Reverse proxy with automatic SSL via Let's Encrypt. Handles routing across all environments (production, staging, playgrounds, ops).
Cloudflared
Secure tunnel to Cloudflare's network. Zero-port-forward deployment option — no inbound firewall rules required on the host server.
Secrets Store
Environment variables and encryption keys stored on the tailnet only — inaccessible from the public internet. Separate from application containers.
Ops Cron
Dedicated cron runner container executes 20+ scheduled jobs (payment renewals, monitoring probes, marketing jobs) isolated from web request handling.
Internet / Cloudflare Edge DDoS protection · SSL termination · WAF Caddy · Reverse Proxy + SSL Automatic HTTPS · Multi-domain routing web-production Live donor data web-staging Pre-release testing web-ops Platform mgmt Cloudflared Tunnel Zero-port-forward · Tailnet Secrets Store Tailnet-only · INTEGRATION_KEY Ops Cron Runner 20+ scheduled jobs · Isolated PostgreSQL Per-environment · Isolated DBs Your institution's server infrastructure Ubuntu 22.04 · 4GB RAM min · Docker + Docker Compose
Access Control

Five portal types. Precise permissions at every level.

PortalDonor DataGift ProcessingCRM / PipelineAdmin ConfigPlatform Ops
Personal / DonorOwn onlyGive only
Workspace Staff
Workspace Admin
Partner AdminScopedScopedScopedPartner scope
EvaNeT OpsAll tenantsAllAllAll

RBAC enforced at the tRPC API layer. Legacy membership fallback for transition periods. Session-based database switching for EvaNeT operators only.

Compliance Features

Built for institutional audit readiness.

IRS & Tax Compliance
  • 501(c)(3) language included automatically in all receipts
  • Goods/services received disclosure on every receipt
  • Form 8283 prefill for non-cash contributions
  • Fair market value disclosure for event ticket purchases
  • Acknowledgment letters for donor-requested documentation
  • Gift restriction tracking (endowed vs. expendable)
Data & Privacy
  • PCI-DSS: card data never touches your servers (Stripe tokenization)
  • Self-hosted: FERPA-friendly — donor data on your infrastructure
  • Communication preferences and opt-out management
  • Donor intelligence access logging for KYC compliance
  • Explicit attestation for any outbound data to ad platforms
  • Full audit trail: every major action timestamped and attributed
Security Review

Questions for your IT or compliance team? We have answers.

We're happy to provide a full security architecture review with your institution's IT and data governance teams as part of the discovery process.

Request Demo → Contact IT team →