Data Security Policy

This policy describes how Impacturi (operated by Clickonic Ltd) protects the personal data and donor information entrusted to us by our customers. We handle data belonging to charities and their donors, and we take that responsibility seriously.

1. Infrastructure and hosting

• Database: Hosted on Supabase (PostgreSQL). Supabase is SOC 2 Type II certified. Data is encrypted at rest using AES-256.
• Application: Hosted on Vercel. All traffic is served over HTTPS with TLS 1.2 or higher. Vercel is SOC 2 Type II certified.
• Payments: Processed by Stripe. No card numbers or payment details are stored on our infrastructure. Stripe is PCI DSS Level 1 certified.
• AI services: The AI writing assistant uses the OpenAI API. Data sent to OpenAI is used only to generate the requested content and is not used to train models (per OpenAI's API data usage policy).

2. Access control

• Row-level security: Enforced at the database layer on all tables containing customer data. Each charity can only query, insert, update, or delete their own records. This is not application-level logic that could be bypassed; it is enforced by PostgreSQL itself.
• Authentication: Managed by Supabase Auth. Passwords are hashed using bcrypt. Session tokens are short-lived and rotated automatically.
• Admin access: The platform owner does not have routine access to customer data through the application. Direct database access is restricted and used only for maintenance, debugging, or at the customer's request.

3. Data in transit

All data transmitted between users and the platform is encrypted using TLS. This includes browser sessions, API calls, CRM sync connections, and file uploads. We do not support unencrypted HTTP connections.

4. Data at rest

All data stored in the database is encrypted at rest using AES-256, provided by the hosting infrastructure. Uploaded files (logos, photos) are stored in Supabase Storage with the same encryption standards.

5. CRM integration security

When a charity connects an external CRM (such as Beacon), the API credentials are stored in the database. These credentials are accessible only to the charity that created them, enforced by row-level security. CRM sync operations run server-side and credentials are never exposed to the browser.

6. Backups

Database backups are managed automatically by Supabase. Backups are encrypted and retained according to the hosting provider's backup policy. We do not maintain separate backup infrastructure.

7. Vulnerability management

• Dependencies are monitored for known vulnerabilities
• Security patches for critical vulnerabilities are applied promptly
• We plan to conduct regular penetration testing as the platform scales (see our roadmap)

8. Incident response

We maintain an Incident Response Plan that defines how we detect, respond to, and communicate about security incidents. In the event of a personal data breach, affected customers will be notified within 72 hours.

9. Staff and confidentiality

All individuals with access to production systems are bound by confidentiality obligations. Access is granted on a need-to-know basis and reviewed regularly.

10. Third-party certifications

Our infrastructure providers hold the following certifications:

• Supabase: SOC 2 Type II
• Vercel: SOC 2 Type II
• Stripe: PCI DSS Level 1

Impacturi is working towards Cyber Essentials certification. This page will be updated when certification is achieved.

11. Your responsibilities

As a customer, you are responsible for:

• Keeping your login credentials secure and not sharing them
• Ensuring the donor data you upload is accurate and lawfully obtained
• Informing your donors that their data is processed through the Impacturi platform
• Reporting any suspected security issues to us promptly

12. Contact

For security questions, to report a vulnerability, or to request a copy of this policy in PDF format, contact:

Dermot Dennehy
Clickonic Ltd
dermot@clickonic.co