Security & Compliance
Your fundraising data is sensitive. We treat it that way.
SOC 2 Framework
Our security framework is designed around SOC 2 compliance requirements. We implement comprehensive controls for security, availability, and confidentiality.Role-Based Access Control
Six distinct roles with granular permissions. Multi-tenant isolation ensures organizations only access their own data. Founder access is scoped to specific companies.Tiered NDA Access
Three-tier NDA framework controls document visibility. Pre-NDA, Standard NDA, and Enhanced NDA levels ensure sensitive materials are only shared with authorized parties.Document Watermarking
Automatic watermarking on sensitive documents with viewer identity, timestamp, and classification level. Full traceability for every document access.Audit Logging
Comprehensive audit trail for every user action. Immutable logs capture who accessed what, when, and from where — essential for compliance and incident response.Encryption & Infrastructure
Data encrypted at rest and in transit. API keys are encrypted before storage and never exposed in full after saving. JWT tokens stored in httpOnly cookies, never in localStorage.How We Handle Your Data
Every organization's data is isolated by
org_id at the database level. Queries are always scoped to the current user's organization — there is no global access mode. API keys for third-party services are encrypted at rest and masked in the UI after saving.Authentication uses short-lived JWT access tokens (15 minutes) with refresh tokens (7 days). Tokens are stored in encrypted httpOnly cookies and are never accessible to client-side JavaScript. All API calls are proxied server-side to inject authorization headers.
Login endpoints are rate-limited (10 requests per minute per IP) to prevent brute-force attacks. All responses include security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy).
Have security questions?
We're happy to discuss our security practices in detail.