Donor stewardship is built on trust. This page lists what our infrastructure providers attest to, what we do operationally on top of that, and how to reach us if you spot something we missed. Every claim links to its source.
DonorForge is built on infrastructure that maintains independent third-party attestations including SOC 2 Type 2, ISO 27001, and PCI DSS for payment-handling components. Customer data is encrypted at rest with AES-256 and in transit with TLS. Authentication runs on a dedicated, isolated identity provider; payment processing runs through a PCI Service Provider Level 1 vendor that handles card tokenization in the browser, so raw card numbers never reach DonorForge servers.
Specific vendor relationships, configuration details, and copies of third-party attestation reports are shared with prospective enterprise customers under NDA. Email security@donorforge.org for the security questionnaire.
Multi-tenant by design. Every record (donors, donations, campaigns, pledges, grants, users) is keyed by org_id at the database level, and every server-side query enforces org membership before returning data. There is no shared "system" surface where one organization can see another organization's data.
Every page on donorforge.org ships a CSP that whitelists script, style, image, font, and frame sources to a small set of trusted origins. Inline script execution is blocked outside our own bundle hashes. Frame-ancestors is locked to none, so the app cannot be iframed by an attacker.
donorforge.org is on the HSTS preload list with a two-year max-age, includeSubDomains, and preload directive. Every connection is HTTPS; HTTP requests are rejected at the edge.
Within each org, roles (master_admin, org_admin, fundraiser, viewer) determine what a user can see and do. Sensitive views (billing, user management, system config) require admin or master-admin and are gated server-side, not just in the UI.
Every administrative action (user invite, role change, campaign deletion, refund, export) writes an audit-log entry stamped with actor, action, target, and timestamp. Logs are queryable by master admins.
Application data is backed up continuously across regions by our managed database provider. Recovery is at the platform level rather than something operated ad-hoc by our team.
API keys, processor secrets, and webhook-signing secrets live in our hosting and database providers' encrypted environment-variable stores. The codebase has automated checks that fail builds if a secret pattern lands in a commit.
Each organization connects its own payment processor account. Donations route directly to that organization's processor balance. DonorForge is not a payment intermediary and does not pool funds.
DonorForge does not currently hold its own SOC 2 attestation, ISO 27001 certification, or HIPAA Business Associate Agreement. Our infrastructure providers do, and the architecture inherits a great deal of safety from theirs. If you require contractual SOC 2 from us specifically, talk to us; we are tracking the timeline for our own attestation.
We are not a payment processor, money transmitter, or financial-services institution. We facilitate organizations connecting their own payment-processor accounts to receive donations directly.
If you believe you have found a security issue in DonorForge, email security@donorforge.org. Please include reproduction steps, what you were doing when you noticed the issue, and any URLs or accounts involved. We acknowledge in 1 business day, triage in 5 business days, and credit reporters who request it. Please do not test against organizations that are not yours.
14 days free. No credit card.