You're trusting us with rosters, donations, and the records of how your community runs. This page is what we have today, what we're working on, and what we won't promise yet — written for a board member doing diligence and an IT lead reading carefully.
Member rosters, payment history, and donor records are visible only to operators you explicitly authorize. Row-level security keeps tenants isolated even when our own engineers are debugging.
Encrypted backups with point-in-time recovery. Database migrations are gated by automated and human review.
Hosted on US cloud infrastructure. We keep encrypted backups and design for recovery.
Administrative changes are recorded, and our access to your data follows a documented support process.
Not to advertisers. Not to data brokers. Not to "partners." Your roster belongs to your organization, and stops at your organization.
The compliance assistant uses retrieval against published government sources, not against your tenant. Your members' names, emails, and donation amounts are not in any training set — ours or anyone else's.
Hard-delete on request is honored, and the deletion propagates through our backups as they age out. We document the timeline in writing.
They're listed below. We update this page when they change.
Counted from the moment we confirm one — not the moment we finish investigating. We commit to this in the DPA.
We list our subprocessors below and update this page when they change.
Last updated June 1, 2026. Full DPA, including the standard contractual clauses — email legal@civvora.com to start the process.
If a confirmed security incident ever affects your members' data, we will notify you in writing within 72 hours of confirming it — counted from confirmation, not from the end of our investigation. We commit to this in the DPA.
We've built the fundamentals in from the start, and we're honest about what's still in progress. Here's where each piece stands.
Every connection is encrypted, and HSTS is enforced on all our domains.
Your database and object storage are encrypted at rest.
Automated, encrypted backups with point-in-time recovery.
Card numbers never touch our servers. Stripe is PCI-DSS Level 1 — we inherit the scope.
Single multi-tenant Postgres with row-level security on every table. Every query is org-scoped at the framework layer, with a database-level safety net.
Self-audited across the operator console.
On our longer-term roadmap. Not committed to a date.
Not in scope today. We will tell you up front if your use case requires it.