Trust
Trust at Cause Shield.
We protect donation infrastructure for nonprofits, which means we hold a serious duty of care over donor data and the systems that move money. This page is the procurement-team home: where your data lives, who has access, our sub-processors, our DPA, and how to report a vulnerability. For the technical control inventory, see /security.
Donor PII minimised
TLS 1.2+ in transit
AES-256 at rest
Monthly self-scan
Where your data lives
Supabase Postgres in us-east-1
All persistent customer and (hashed) donor data lives in a Supabase Postgres cluster in AWS us-east-1, with at-rest AES-256 encryption and per-organisation Row Level Security. For Australian-residency procurement, we can spin up a separate project in Supabase's Sydney region — flag it during onboarding and we'll quote the lift.
Donor PII minimised at every layer
Donor names and email addresses from our smart-webhook receiver are SHA-256 hashed with a per-organisation pepper before storage — we never persist the raw payload. Stripe transactions include the donor email so you can review flagged donations, and that data stays inside your account. Card data never reaches Cause Shield — your payment processor remains the system of record. We see only the metadata your processor exposes (amount, country, BIN, brand) and nothing more.
Who has access
RBAC + per-site scoping
Every member has a role (owner, admin, finance, IT, viewer) and an optional per-site scope. Share links are read-only, signed, time-bounded, and revocable from the dashboard. Internal Cause Shield staff are on an allowlist; production-data access requires a documented reason and is written to the audit log.
Audit log on every important action
Member invites, role changes, key rotations, webhook secret changes, share-link creation — all written to an append-only audit log inside your settings page. Exportable to CSV for SOC 2 vendor reviews.
Sub-processors
Cause Shield is built on the following sub-processors. Each is held to the same data handling commitments we make to you.
| Sub-processor | Purpose | Data category | Region |
|---|---|---|---|
| Vercel | Application hosting + edge | Request metadata, IP (transient) | us-east |
| Supabase | Postgres database + file storage | All persisted customer + hashed donor data | us-east (AU project option) |
| Clerk | Authentication + user management | Customer staff email, OAuth identity | us-east |
| Anthropic | AI inference — fraud scoring, narratives, security reports | De-identified donation metadata, scan outputs | us-east |
| Resend | Transactional email delivery | Customer staff email, message body | us-east |
| Stripe | Payments + customer billing for Cause Shield | Customer billing details, payment metadata | multi-region |
Postgres database + file storage
- Data:
- All persisted customer + hashed donor data
- Region:
- us-east (AU project option)
AI inference — fraud scoring, narratives, security reports
- Data:
- De-identified donation metadata, scan outputs
- Region:
- us-east
Payments + customer billing for Cause Shield
- Data:
- Customer billing details, payment metadata
- Region:
- multi-region
Last updated May 2026. We’ll publish a sub-processor change feed once customers ask us to subscribe to it.
DPA + agreements
Pre-flow DPA, GDPR Article 28 aligned
Our Data Processing Agreement uses GDPR Article 28 compliant pre-flow language and is available for review before contract. It covers categories of data, sub-processors, international transfers (SCCs for EU customers), and breach notification SLAs. For counter-signature on enterprise procurement, contact billing@causeshield.com.
Incident response + reporting
security@causeshield.com — 1 business day
If you've spotted a vulnerability or suspect a security event, email us. We acknowledge within one business day. Our security.txt file lives at /.well-known/security.txt per RFC 9116 — if your procurement tooling pulls that automatically, it'll find us.
Acknowledgments
Researchers who report vulnerabilities responsibly will be listed here with their permission. We don’t run a paid bug bounty yet, but we credit named reporters and respond fast. No public entries today — first slot is yours.
Compliance roadmap
SOC 2 Type I — work has started
We follow SOC-2-aligned operational practices today (encrypted storage, scoped access, change management, monthly automated audits). Type I report work has started, with target completion approximately month 9. We won't claim compliance we don't yet hold — when the report exists, we'll publish it here.
No PCI DSS AoC
Because we never see card data, PCI scope doesn't extend to us. We won't display an AoC we don't have — your processor remains the system of record.