You're trusting us with rosters, donations, and the records of how your community runs. This page is what we have today, what we're working on, and what we won't promise yet — written for a board member doing diligence and an IT lead reading carefully.
Member rosters, payment history, and donor records are visible only to operators you explicitly authorize. Row-level security keeps tenants isolated even when our own engineers are debugging.
Append-only audit log on configuration. Daily backups with point-in-time recovery. Database migrations gated by automated and human review.
99.9% uptime SLA on the Organization plan. Hosted on AWS us-east-2 with multi-AZ Postgres and automated failover. Live status page linked below.
Every administrative action — by you or us — is recorded. We do not access your data without a documented support request, and the access is itself logged.
Not to advertisers. Not to data brokers. Not to "partners." Your roster belongs to your organization, and stops at your organization.
The compliance assistant uses retrieval against published government sources, not against your tenant. Your members' names, emails, and donation amounts are not in any training set — ours or anyone else's.
CSV for tabular data. JSON for nested structures. Postgres dump on request. The migration tools we built for inbound work in reverse, too.
Hard-delete on request honored within 30 days. Backups expire on rolling 35-day windows; the deletion propagates as those backups age out. We document the timeline in writing.
Below. We email Organization-plan customers 30 days before adding a new one.
Counted from the moment we confirm one — not the moment we finish investigating. We commit to this in the DPA and we have rehearsed the runbook.
Updated monthly. Organization-plan customers are notified by email 30 days before any addition.
Last updated April 18, 2026. Full DPA, including the standard contractual clauses, is available on request.
We rehearse this. Tabletop exercises every quarter, full restore drills against the backup database, and a written runbook for the kinds of incidents that have actually happened to platforms our size.
If you've gotten this far down the page, you're either on a board doing diligence, or in IT at an organization bigger than the ones we usually serve. Either way — thank you for reading carefully. It's the right thing to do.
Here is the truth: CivVora is a small company. We are not large enough to have a CISO with a corner office. What we have instead is a team that has personally migrated a hundred-some organizations off Mailchimp and QuickBooks and a paper roster, and the engineer who wrote the row-level security rules also takes the on-call pager.
We chose to write this page in the same voice we'd use to walk you through it on a call, because the alternative — a glossy "enterprise-grade trust" page that hides the gaps — is what every other vendor does, and I don't think any of you are fooled by it.
If something on this page is missing or unclear, that's a real signal to me. Email me directly: nora@civvora.com. I read every one and I will tell you the truth, including when the answer is "not yet."
— Nora Aldrich, founder. Mayberry, California. Updated April 28, 2026.
We're a four-year-old company supporting 340+ organizations. We've got the fundamentals tight; we're working through the certifications. Here's the truth on each.
TLS 1.2+ on every connection. HSTS enforced on all marketing and app domains.
AES-256 on the database and all object storage. Keys managed via AWS KMS.
35-day retention, point-in-time recovery to any minute in the last 7 days. Restore drills run quarterly.
Card numbers never touch our servers. Stripe is PCI-DSS Level 1 — we inherit the scope.
Single multi-tenant Postgres with row-level security on every table. Every query is org-scoped at the framework layer, with a database-level safety net.
TOTP available on every operator account. Required for the Owner role.
Every config change, role change, and bulk action is logged with actor, timestamp, and before/after — visible to operators in-app.
CSV for everything, Postgres dump on request. We help you migrate off the same way we help you migrate on.
Audit window opened February 2026. Type I report available now under NDA. Type II expected Q4 2026.
Annual engagement with a CREST-certified firm; first report dated November 2025. Summary letter available under NDA.
Available on the Organization plan and above today (Google Workspace, Microsoft 365, Okta). SCIM provisioning is the next item up.
Self-audited across the operator console; third-party audit scheduled for Q3. Outstanding issues tracked publicly on our changelog.
Next on the SSO track. Q3 2026.
Live today at status.civvora.com — see the badge below. Historical incidents back to Jan 2025.
Asked for by two of our largest customers. Designing now; not yet committed to a date.
Not in scope today. We will tell you up front if your use case requires it.