Security
A plain-language summary of how customer data is handled. Written for nonprofit boards doing vendor due diligence.
Where data lives
Customer data is stored in a single SQLite database on our production server, located in a US data center. We do not replicate customer data to third-party analytics, marketing, or advertising platforms.
Encryption
All HTTP traffic to charityfile.com is served over TLS, terminated at the edge by our reverse proxy. Authentication tokens are transmitted as HTTP-only cookies over TLS. Database backups are taken regularly and stored encrypted at rest.
Authentication
Sign-in is via emailed magic link. We do not store passwords. A sign-in link is single-use and short-lived; clicking it establishes a session bound to the requesting browser.
What we collect
For sign-in: your email. For compliance tracking: your organization’s EIN, registration dates, fiscal year, and the states you operate in. We do not collect bank or payment details — payments are handled by Stripe and we receive only the subscription status.
Reporting a vulnerability
If you believe you’ve found a security issue, please email support@charityfile.com with details. We take reports seriously and will respond within two business days. Please do not test against live customer data.