Trust
Trust at Cause Shield.
We protect donation infrastructure for nonprofits, which means we hold a serious duty of care over donor data and the systems that move money. This page is the procurement-team home: where your data lives, who has access, our sub-processors, our DPA, and how to report a vulnerability. For the technical control inventory, see /security.
Donor PII minimised
TLS 1.2+ in transit
AES-256 at rest
Monthly self-scan
Where your data lives
Choose your region: US, Europe, or Australia
At sign-up, you pick where your data lives. Three regions today: AWS us-east-1 (Virginia, United States), AWS eu-west-1 (Dublin, Ireland, which covers EU and UK customers via the EU↔UK mutual adequacy decisions), and AWS ap-southeast-2 (Sydney, Australia). All persistent customer data (transactions, supporters, webhook events, donor identity hashes) lives entirely in your chosen region's Supabase project, with at-rest AES-256 encryption and per-organisation Row Level Security. Cause Shield's own operational data (support tickets, internal admin) stays in us-east-1 regardless of customer region. For EU customers under strict residency requirements, Anthropic (Claude API), Clerk (authentication), and Resend (transactional email) remain US-hosted sub-processors. They are disclosed in DPA Clause 13 and covered by Standard Contractual Clauses; EU-region replacements are on the roadmap.
Donor PII minimised at every layer
Donor names and email addresses from our smart-webhook receiver are SHA-256 hashed with a per-organisation pepper before storage. We never persist the raw payload. Stripe transactions include the donor email so you can review flagged donations, and that data stays inside your account. Card data never reaches Cause Shield. Your payment processor remains the system of record. We see only the metadata your processor exposes (amount, country, BIN, brand) and nothing more.
Who has access
RBAC + per-site scoping
Every member has a role (owner, admin, finance, IT, viewer) and an optional per-site scope. Share links are read-only, signed, time-bounded, and revocable from the dashboard. Internal Cause Shield staff are on an allowlist; production-data access requires a documented reason and is written to the audit log.
Audit log on every important action
Member invites, role changes, key rotations, webhook secret changes, share-link creation: all written to an append-only audit log inside your settings page. Exportable to CSV for SOC 2 vendor reviews.
Sub-processors
Cause Shield is built on the following sub-processors. Each is held to the same data handling commitments we make to you.
| Sub-processor | Purpose | Data category | Region |
|---|---|---|---|
| Vercel | Application hosting + edge | Request metadata, IP (transient) | us-east |
| Supabase | Postgres database + file storage | All persisted customer + hashed donor data | us-east-1, eu-west-1, or ap-southeast-2 (per-customer) |
| Clerk | Authentication + user management | Customer staff email, OAuth identity | us-east |
| Anthropic | AI inference for fraud scoring, webhook classification, narratives, and security reports. Does not train on customer API inputs/outputs; logs retained 30 days for trust & safety. | Inbound webhook payloads (donor email/name in transit, hashed before storage), de-identified transaction metadata, scan outputs. Free-text fields >500 chars trimmed before send. | us-east |
| Resend | Transactional email delivery | Customer staff email, message body | us-east |
| Stripe | Payments + customer billing for Cause Shield | Customer billing details, payment metadata | multi-region |
Postgres database + file storage
- Data:
- All persisted customer + hashed donor data
- Region:
- us-east-1, eu-west-1, or ap-southeast-2 (per-customer)
AI inference for fraud scoring, webhook classification, narratives, and security reports. Does not train on customer API inputs/outputs; logs retained 30 days for trust & safety.
- Data:
- Inbound webhook payloads (donor email/name in transit, hashed before storage), de-identified transaction metadata, scan outputs. Free-text fields >500 chars trimmed before send.
- Region:
- us-east
Payments + customer billing for Cause Shield
- Data:
- Customer billing details, payment metadata
- Region:
- multi-region
Last updated June 2026. We’ll publish a sub-processor change feed once customers ask us to subscribe to it.
DPA + agreements
Pre-flow DPA, GDPR Article 28 aligned
Our Data Processing Agreement uses GDPR Article 28 compliant pre-flow language and is available for review before contract. It covers categories of data, sub-processors, international transfers (SCCs for EU customers), and breach notification SLAs. For counter-signature on enterprise procurement, contact billing@causeshield.com.
Incident response + reporting
security@causeshield.com, 1 business day
If you've spotted a vulnerability or suspect a security event, email us. We acknowledge within one business day. Our security.txt file lives at /.well-known/security.txt per RFC 9116, so if your procurement tooling pulls that automatically, it'll find us.
Acknowledgments
Researchers who report vulnerabilities responsibly will be listed here with their permission. We don’t run a paid bug bounty yet, but we credit named reporters and respond fast. No public entries today. First slot is yours.
Compliance roadmap
SOC 2 Type I: work has started
We follow SOC-2-aligned operational practices today (encrypted storage, scoped access, change management, monthly automated audits). Type I report work has started, with target completion approximately month 9. We won't claim compliance we don't yet hold. When the report exists, we'll publish it here.
No PCI DSS AoC
Because we never see card data, PCI scope doesn't extend to us. We won't display an AoC we don't have. Your processor remains the system of record.