Security & trust

Your donor data is safer here than in your inbox.

GDPR by default. EU-only hosting. Encryption at every layer. Plain-English policies you can hand to your board.

Encrypted everywhere

All data in transit over TLS 1.3. All data at rest encrypted at the database layer. CRM API keys held in Supabase Vault, never in plain text.

EU-only hosting

Postgres on Supabase Pro, EU-west-1 (Ireland). No US data residency. No cross-Atlantic round trips on every page render.

Row-level security

Every charity sees only their own data, enforced at the database. Even a compromised admin token cannot read another charity’s donor list.

Multi-factor auth

TOTP-based 2FA on platform admin, vendor accounts and the production deploy chain. Domain lock on the registrar. FileVault on engineering laptops.

Daily backups

Daily physical backups, eight-day retention. PITR available on request. Full restore tested quarterly.

Audit logging

Every sensitive action recorded: who, what, when, from where. Audit trail available to admins on request.

Policies on file

Need a deeper assurance pack?

Larger charities and corporates often ask for a vendor questionnaire, pen-test summary or sub-processor list. Email security@impacturi.com and we will send the latest pack.

Book a 20-minute demo