Cause Shield

Security & trust

Honest about what we do, and what we don’t.

Cause Shield protects donation infrastructure for nonprofits. That means we hold a serious duty of care over donor data and the systems that move money. This page is a frank inventory of the controls we have today, and the certifications we don’t yet hold. Buyers deserve a straight answer; this is ours.

What we do today

Donor PII is minimised by default

Donor names and email addresses flowing through our smart-webhook receiver are SHA-256 hashed with a per-organisation pepper before they touch the database — we never persist the raw payload from the fundraising platform. Stripe sends us the donor email on each charge so you can review flagged donations; that email is stored so we can show it to you, and never shared with third parties beyond the sub-processors disclosed in our DPA. Tracking events are anonymous unless your team explicitly identifies the donor on the donation form via our snippet. We do not collect phone numbers, addresses, dates of birth, payment card data, or any other personal data.

No card data, ever

Cause Shield doesn't process payments. Your existing payment processor (Stripe, Braintree, etc.) remains the system of record. We see the metadata Stripe exposes — amount, country, card BIN, brand — but never the PAN. This keeps us out of PCI DSS scope by design.

Encrypted at rest, encrypted in transit

All customer data lives in Supabase Postgres with at-rest AES-256 encryption. All API traffic is TLS 1.2+. The tracking and webhook ingest endpoints reject plain HTTP.

Row-level security on every table

Every Postgres table that holds customer data has a Row Level Security policy scoped to organisation membership. Even if our application layer were bypassed, the database would refuse to return another tenant's rows.

Monthly security scan on our own infrastructure

The same Cause Shield monthly security scan we sell to customers also runs against our own production endpoints. Reports are reviewed internally before deploys. (We use the word scan, not penetration test, because that's what it is — a defensive external configuration audit, not a human-operated exploit attempt.)

Stripe Connect — read-only by intent

Stripe Connect requires `read_write` scope to register webhook endpoints, so that's what we ask for. We never call write APIs against your Stripe account. You can revoke our access at any time from your Stripe dashboard.

Audit log on every important action

Member invites, plan changes, key rotations, webhook secret changes, share-link creation — all written to an append-only audit log inside your settings page. Useful for SOC 2 vendor reviews.

Honest defaults on tracking

Our tracking script honours navigator.doNotTrack, never uses third-party cookies, never fingerprints, drops IP addresses after deriving country, and supports a per-page opt-out attribute.

What we don't yet have

No SOC 2 attestation yet

We follow SOC-2-aligned operational practices (encrypted-at-rest storage, scoped access controls, change management, monthly automated audit), but we don't yet hold a Type I or Type II report. We'll publish the actual report when we do — until then, we won't claim it.

No PCI DSS Attestation of Compliance

Because we never see card data, PCI scope doesn't extend to us — your processor remains the system of record. We do not hold a PCI AOC and won't display one we don't have.

No SAML / SCIM (yet)

We support Google and Microsoft OAuth login via Clerk today. Enterprise SSO (SAML) and automated provisioning (SCIM) are on the roadmap and will arrive alongside an Enterprise tier when our customer base needs them.

Reporting a vulnerability

security@causeshield.com

If you've found a vulnerability or have a security concern, email us. We respond within one business day. We don't yet run a formal bug bounty programme; responsible disclosure is welcome and we publicly thank reporters who choose to be named.

Sub-processors

Cause Shield is built on the following sub-processors. Each one is also held to the data handling commitments above.

  • Vercel — application hosting (US/EU regions)
  • Supabase — Postgres database, file storage
  • Anthropic (Claude) — model inference for fraud, classification, narratives, security reports
  • Stripe — subscription billing for Cause Shield itself
  • Clerk — authentication
  • Resend — transactional email

Last updated May 2026. We’ll publish DPAs and a sub-processor change feed once we have customers requesting them.

Start protecting donations →