๐ Security & trust
Built for charity-grade trust.
Your charity's data is sensitive. We treat it that way โ UK-hosted, encrypted, GDPR-compliant, audited. Below is how, in plain English.
GDPR ยท UK serversICO ZA928374SOC 2 Type II in progressCyber Essentials PlusDPA on requestAnnual pen test
๐
Where your data lives
Stored on Hetzner Cloud servers in Germany (EU), with daily encrypted backups to a second EU region.
- โ UK / EU only โ no US data transfers
- โ Daily backups, 30-day retention
- โ Customer-isolated database schemas
๐
Encryption
AES-256 at rest, TLS 1.3 in transit. Hardware-backed vaults for secrets. Argon2id password hashing.
- โ AES-256 at rest
- โ TLS 1.3 in transit
- โ Argon2id password hashing
๐
Compliance
GDPR compliant, ICO registered, Cyber Essentials Plus. SOC 2 Type II audit expected Q3 2026.
- โ GDPR compliant + ICO registered
- โ Cyber Essentials Plus
- โ Annual external penetration test
๐ก
Access & audit
Data actions logged for 12 months on Agency plans. Least-privilege access, MFA required for staff.
- โ Per-user audit log
- โ MFA required for staff
- โ 72-hour incident notification
Subprocessors
The vendors we trust with your data. Updated 12 May 2026.
| VENDOR | PURPOSE | REGION | DATA PROCESSED |
|---|---|---|---|
| Hetzner | Compute & storage | Germany (EU) | All charity data |
| Postmark | Transactional email | EU | Email addresses, alerts |
| Anthropic | AI scoring & drafts | EU API region | Charity profile (no PII) |
| Stripe | Payments | EU + US | Billing only |
| Cloudflare | CDN & DDoS | Global edge | Public marketing pages only |
Trust Report
Documentation and live status available on request.
Status page
Documentation and live status available on request.
Vulnerability disclosure
Documentation and live status available on request.