Your trust is our top priority. We employ enterprise-grade security practices to protect your data, your donors, and your campaigns.
All sensitive data is encrypted using AES-256-GCM authenticated encryption with randomly generated salts and initialization vectors.
Passwords are hashed using bcrypt with 12 salt rounds. We check all passwords against known breach databases using k-anonymity to protect your privacy.
All data in transit is protected with TLS 1.3 encryption. We enforce HTTPS across the entire platform.
TOTP-based 2FA compatible with Google Authenticator, Authy, and other authenticator apps. Admin accounts require MFA.
Support for passwordless authentication using passkeys, biometrics, and hardware security keys.
Sign in securely with Google, GitHub, Facebook, Discord, or Apple.
Automated rate limiting on all authentication endpoints prevents brute-force attacks and credential stuffing.
Accounts are automatically locked after 5 failed login attempts for 30 minutes to prevent unauthorized access.
Hosted on Vercel's global edge network with automatic DDoS mitigation and traffic filtering.
All authentication events, account changes, and security-sensitive operations are logged with timestamps and IP addresses.
Track active sessions, review login history, and remotely revoke access from any device.
Automated monitoring for suspicious activity patterns and unauthorized access attempts.
Your donations are processed with bank-level security
All payments are processed through Square, a PCI-DSS Level 1 certified payment processor—the highest level of security in the payment industry.
We never store full credit card numbers on our servers. All sensitive payment data is tokenized and stored securely by Square.
Square's advanced fraud detection systems monitor transactions in real-time to prevent fraudulent activity and protect donors.
Hosted on Vercel's secure cloud platform with PostgreSQL databases featuring automatic backups, encryption at rest, and geo-redundancy.
We retain your data only as long as necessary for the purposes outlined in our Privacy Policy. Audit logs are retained for a minimum of 365 days for compliance and security investigations.
We comply with GDPR, CCPA, and other data protection regulations. You have the right to access, correct, or delete your personal data at any time. See our Privacy Policy for details.
We prevent reuse of your last 5 passwords to ensure compromised credentials aren't reused. Password history is encrypted before storage.
In the unlikely event of a data breach affecting your personal information, we commit to notifying all affected users within 72 hours of discovery via email and platform notification, in compliance with GDPR and other data protection laws.
We maintain documented incident response procedures including threat containment, forensic investigation, user notification, and remediation steps. Our team conducts regular security drills to ensure rapid response capability.
Help us keep Community Pledge secure
We welcome responsible security researchers to help identify and address potential vulnerabilities. If you discover a security issue, please follow these guidelines:
For security-related inquiries, please contact:
security@communitypledge.comExpected response time: Within 24 hours
Learn how we collect, use, and protect your personal information.
Read our terms regarding account security and user responsibilities.
Have questions or concerns? Reach out to our security team.
Last updated: November 21, 2025
© 2025 Community Pledge. All rights reserved.