Security & Data Handling
You're trusting us with your operation's financial history and your community's information. Here is exactly how we treat it — in plain English, because vague security pages are how people hide weak practices.
Access tokens
When you connect a source, you paste an access token. We encrypt it immediately with AES-256-GCM — an authenticated encryption standard — using a key that lives only in our server environment, never in the database alongside the data it protects. The token is decrypted only at the moment a sync runs, is never written to logs, is redacted from error reports, and is never sent to your browser or anyone else's. You can revoke the token at the source at any time; if that happens we stop syncing immediately and mark the connection as needing reattention — we never retry a revoked token.
Tenant isolation
Every row of your data is tagged with your workspace, and isolation is enforced by the database itself using row-level security — not just by application code. Our application layer independently verifies workspace membership on every request, so two separate mechanisms would both have to fail for anyone outside your workspace to see your data. We test cross-workspace isolation as part of our release checks.
Youth data
Some of our connectors serve youth organizations, so we hold a bright-line policy: we do not receive, request, or store personal information about minors. No names, no birthdates, no medical notes, no waivers, no pickup lists. Sources send us pseudonymous references (random IDs) plus at most a grade, graduation year, or sport position — enough to count enrollments and attendance, nothing more. We never attempt to re-identify a minor, and identity in our system is built exclusively around adults: parents, guardians, managers, and donors. Any future connector that touches youth data inherits this policy unchanged.
What we store, where
Your data lives in a dedicated Postgres database hosted by Supabase in the United States, encrypted at rest and in transit (TLS everywhere). We keep source data exactly as received (minus anything outside our contracts with sources) so that corrections are made by re-deriving analytics, never by asking sources to re-send. We store only the fields our published connector contracts define — when a source adds new fields, we ignore them until they're reviewed and added to the contract.
Your rights
It's your data. Disconnect a source and we stop syncing immediately. Ask us to delete your workspace and we delete everything — raw and derived — within 30 days. We don't sell data, we don't share it across customers, and we don't train AI models on it: the AI features in the product read your metrics to write your briefs, and nothing else.
Questions
Security questions get real answers from the people who built the system. Write to us via the contact page and mention security in your message.