Specific, honest, no-marketing-fluff posture. What we encrypt, how we isolate tenants, what audit logs we keep, and what we don't promise yet.
Sensitive fields (bank routing numbers, account numbers, TINs) are AES-256-CBC encrypted with HMAC-SHA256 authentication via a project-internal Encryption utility. Keys live in environment configuration, never in source.
TLS 1.2+ end-to-end. Cloudflare proxy with "Full (Strict)" SSL on the marketing surface; HTTPS-only cookies; HSTS where supported.
Every query filters by organization_id. Every authenticated endpoint validates the requesting user's organization_id matches the data being touched. Tested isolation across all giving / matching / grant / payout flows.
Tokens via AuthService::getCSRFToken() / validateCSRFToken(), exposed via a site-wide <meta name="csrf-token"> for AJAX endpoints, validated server-side on every state-changing request.
Every donation creation, match approval, grant decision, payout step, banking edit, settings change writes a row to activity_log with user, organization, timestamp, before/after.
Bcrypt cost 12. Rate limiting (5 attempts, 15-min lockout). Session security: HTTP-only, secure flag, strict mode, SameSite Lax.
Five roles (super_admin, org_admin, finance_admin, manager, employee). Every page asserts its required role via AuthService::requireRole() at the top of the file — not as middleware that can be forgotten.
Found a security issue? Email security@gozaround.co with details. We respond within 1 business day and credit researchers (with permission) in our changelog.
Our security posture, access controls, audit logging, and change-management practices align to SOC 2 Type 2 controls. We're not yet certified. We'll publish a status page when the audit is in flight; we'll publish the SOC 2 report itself (under NDA) when complete. We don't market "SOC 2 ready" as a marketing claim — we mean it operationally.
Data Processing Agreement available on request. Right-to-delete + right-to-export supported via super-admin-initiated workflows. Personal data flows are documented and minimized; no third-party analytics SDKs sending data to vendor systems (we use server-side analytics into our own marketing_events table).
Reach out and we'll share our security overview, DPA, and any specific control evidence you need.