Legal

Security

How we protect your data

Payment security

All payments are processed through Stripe, a PCI DSS Level 1 certified payment processor. Card numbers never touch our servers. Stripe handles all sensitive payment data storage, tokenization, and processing.

Data encryption

All data in transit is encrypted using TLS 1.2+ (HTTPS). Data at rest uses AES-256 encryption. We enforce HSTS and Content Security Policy headers.

Audit logging

Every donation, account change, and data access event is recorded in an immutable, append-only audit log with timestamps, IP addresses, and user agents. Logs are retained for a minimum of 5 years.

Access controls

Campaign operators can only access their own campaign data. Authentication uses secure, HTTP-only, signed session tokens. We support Google OAuth and magic link authentication — no passwords stored.

Reporting vulnerabilities

Report security issues to security@donateth.is.