Security & trust
Honest about what we do, and what we don’t.
Cause Shield protects donation infrastructure for nonprofits. That means we hold a serious duty of care over donor data and the systems that move money. This page is a frank inventory of the controls we have today, and the certifications we don’t yet hold. Buyers deserve a straight answer; this is ours.
What we do today
How does Cause Shield minimise donor PII?
Donor names and email addresses flowing through our smart-webhook receiver are SHA-256 hashed with a per-organisation pepper before storage. We retain a structural copy of the inbound payload for debugging and re-classification, but the donor email and name fields are replaced with <hashed> sentinels at write time. The original values are never written to disk. Any other PII the classifier flags (phone numbers, addresses, free-text notes) is hashed or stripped on the same code path. Stripe sends us the donor email on each charge so you can review flagged donations; that email is stored so we can show it to you, and never shared with third parties beyond the sub-processors disclosed in our DPA. Tracking events are anonymous unless your team explicitly identifies the donor on the donation form via our snippet. Organisations can additionally enable Privacy mode: masked from Settings, which hides plaintext donor identifiers from the UI altogether.
What does Cause Shield send to Anthropic for AI inference?
Cause Shield uses Anthropic's Claude API to classify inbound webhook payloads (donor vs. fundraiser, donation vs. registration, risk signals) and to write the plain-English narratives in your dashboard. To do this, the inbound payload (including the donor's plaintext email and name) transits Anthropic's API during inference. Anthropic's commercial terms state they do not train their models on customer API inputs or outputs. API logs are retained for a limited operational window (currently 30 days) for trust & safety, then deleted; Zero Data Retention is available on request. We further reduce surface area by stripping any string field longer than 500 characters (free-text donor comments, bio fields, HTML notes) from the payload sent to Anthropic. Those fields aren't needed for classification and are the most likely to carry incidental third-party PII. Identifiers are then hashed before storage in our database; Anthropic is the only sub-processor that ever sees the plaintext donor identifiers en route to that hash.
Does Cause Shield see card numbers or process payments?
Cause Shield doesn't process payments. Your existing payment processor (Stripe, Braintree, etc.) remains the system of record. We see the metadata Stripe exposes (amount, country, card BIN, brand) but never the PAN. This keeps us out of PCI DSS scope by design.
How is Cause Shield data encrypted?
All customer data lives in Supabase Postgres with at-rest AES-256 encryption. All API traffic is TLS 1.2+. The tracking and webhook ingest endpoints reject plain HTTP.
Can I choose where my donor data is hosted?
Yes. At sign-up you pick from three regions: AWS us-east-1 (Virginia, United States), AWS eu-west-1 (Dublin, Ireland, for EU and UK customers; the EU↔UK mutual adequacy decisions mean Irish hosting satisfies UK GDPR), and AWS ap-southeast-2 (Sydney, Australia). Your donor data (transactions, supporters, webhook events, donor identity hashes) lives entirely in your chosen region's Supabase project. Cause Shield's own operational data (internal staff records, support tickets) stays in us-east-1 regardless. Three sub-processors (Anthropic, Clerk, Resend) remain US-hosted for all customers and are covered by Standard Contractual Clauses; EU-region replacements for these are on the roadmap.
How does Cause Shield handle multi-tenant data isolation?
Every Postgres table that holds customer data has a Row Level Security policy scoped to organisation membership. Even if our application layer were bypassed, the database would refuse to return another tenant's rows.
Monthly security scan on our own infrastructure
The same Cause Shield monthly security scan we sell to customers also runs against our own production endpoints. Reports are reviewed internally before deploys. (We use the word scan, not penetration test, because that's what it is: a defensive external configuration audit, not a human-operated exploit attempt.)
Stripe Connect: read-only by intent
Stripe Connect requires `read_write` scope to register webhook endpoints, so that's what we ask for. We never call write APIs against your Stripe account. You can revoke our access at any time from your Stripe dashboard.
Audit log on every important action
Member invites, plan changes, key rotations, webhook secret changes, share-link creation: all written to an append-only audit log inside your settings page. Useful for SOC 2 vendor reviews.
Honest defaults on tracking
Our tracking script honours navigator.doNotTrack, never uses third-party cookies, never fingerprints, drops IP addresses after deriving country, and supports a per-page opt-out attribute.
What we don't yet have
No SOC 2 attestation yet
We follow SOC-2-aligned operational practices (encrypted-at-rest storage, scoped access controls, change management, monthly automated audit), but we don't yet hold a Type I or Type II report. We'll publish the actual report when we do. Until then, we won't claim it.
No PCI DSS Attestation of Compliance
Because we never see card data, PCI scope doesn't extend to us. Your processor remains the system of record. We do not hold a PCI AOC and won't display one we don't have.
No SAML / SCIM (yet)
We support Google and Microsoft OAuth login via Clerk today. Enterprise SSO (SAML) and automated provisioning (SCIM) are on the roadmap and will arrive alongside an Enterprise tier when our customer base needs them.
Reporting a vulnerability
security@causeshield.com
If you've found a vulnerability or have a security concern, email us. We respond within one business day. We don't yet run a formal bug bounty programme; responsible disclosure is welcome and we publicly thank reporters who choose to be named.
Sub-processors
Cause Shield is built on the following sub-processors. Each one is also held to the data handling commitments above.
- Vercel: application hosting (US/EU regions)
- Supabase: Postgres database, file storage
- Anthropic (Claude): model inference for fraud scoring, webhook classification, narratives, and security reports. Does not train on customer API inputs or outputs. Privacy policy.
- Stripe: subscription billing for Cause Shield itself
- Clerk: authentication
- Resend: transactional email
Last updated June 2026. We’ll publish DPAs and a sub-processor change feed once we have customers requesting them.