Trust and Safety
Last Updated: February 2026
Our Commitment
Security, privacy, and trust are foundational requirements of the Crowdera platform infrastructure. We implement layered technical and operational controls designed to protect donor, fundraiser, and organizational data and to help customers operate confidently across jurisdictions.
Security Architecture: Layered Controls
Crowdera applies layered controls to protect data at multiple levels across the platform.
Layer 1: Data Transmission Security
Data in transit is protected using TLS encryption and served behind Cloudflare-managed edge security.
Layer 2: Database & Data Storage Security
-
-
● Passwords are protected using bcrypt (one-way hashing; not reversible).
-
● Encryption at rest is enabled by default for supported storage layers.
-
● Planned enhancement: field-level encryption for defined sensitive fields (for high-sensitivity use cases).
-
Layer 3: Authentication & Authorization
● JWT-based session and API authorization is used for authentication and access.
● Role-based access principles are applied where applicable to customer configuration..
Layer 4: Application Security Controls
● Input validation and sanitization.
● XSS protection, secure headers, and security middleware.
● Bot protection (including Google bot protection where configured).
● Rate limiting and abuse prevention.
● Injection protections (including SQL injection mitigation patterns where applicable).
● Secure configuration and secret handling (environment variables/secrets).
Layer 5: Data Localization & Residency Options
● Default data storage is on US-based secure cloud database servers.
- ● Data storage in India and Singapore can be configured based on customer requirements to support local data residency expectations.
Layer 6: Platform Data Access Controls
● Platform access is restricted and controlled for operational support activities.
- ● Expiry-based password protection for protected access flows (where applicable).
- ● Secure downloadable files and controlled export access.
Layer 7: Payment Security
● Crowdera does not store card details; the payment gateway is the system of record for card processing.
- ● Payment APIs are protected with bot protection controls (where configured).
- ● Payments are processed via PCI-DSS compliant payment gateways (as applicable to the chosen provider).
-
Privacy Compliance Readiness
-
Crowdera’s platform is configuration-ready to support common privacy obligations across major jurisdictions, including India (DPDP), US state privacy laws (context dependent), EU GDPR, UK GDPR, and Singapore PDPA.
-
“Configuration-ready” means the platform supports implementing privacy requirements through configurable controls and workflows such as access controls, auditability, retention/deletion configurations, and support mechanisms for responding to data subject requests (as applicable).
-
Compliance depends on customer configuration, content, integration choices, and internal processes. Customers remain responsible for their specific legal obligations.
Security & Compliance Practices
- ● Regular vulnerability testing is performed as part of the security program (application and infrastructure).
- ● Production systems are backed up regularly; restore procedures are validated periodically; backup access is restricted via least-privilege controls.
- ● Administrative access follows least privilege and separation of duties; privileged actions are logged and monitored; onboarding/offboarding procedures are enforced.
- ● Customers may request data residency configurations (US default; India/Singapore available) based on contractual needs.
- ● Third-party integrations (payment processors, CRMs) are governed by the customer’s configuration and the provider’s terms.
- ● A Data Processing Addendum (DPA) and sub-processor disclosures can be provided on request.
- ● Incident response procedures exist for identifying, containing, remediating, and communicating incidents; customer communications are handled timely based on severity and contractual commitments.
Assurance
Crowdera is pursuing SOC 2 to independently validate security and operational controls against recognized criteria.