Security at Donor Moves

Donor Moves LLC is committed to protecting the data you entrust to us. This page describes the technical and organizational measures we maintain to keep your organization's donor information secure.

Data Encryption

All data transmitted between your device and Donor Moves is protected using industry-standard TLS encryption (TLS 1.2 minimum; TLS 1.3 preferred) (HTTPS). This applies to the web application, the mobile app, and all API communications. Unencrypted HTTP connections are rejected.

Data stored in our database is encrypted at rest using AES-256 encryption, including donor records, interaction logs, gift history, and all other user-generated content.

Authentication & Access Control

Passwords are never stored in plain text. We use bcrypt with a strong work factor to hash passwords before storage, so even in the unlikely event of a database breach, your password cannot be recovered.

Access to your account requires a valid session token issued at login. Sessions are invalidated on sign-out and expire automatically after a period of inactivity. Each organization's data is stored and queried using unique identifiers that enforce strict access boundaries — users can only access records belonging to their own organization, and no cross-organization data access is permitted at the application or database level.

Administrative functions (such as managing staff accounts) are restricted to users with the Administrator role and require re-authentication.

Public Endpoint Protections

Unauthenticated endpoints — such as the lead capture form and the public support chat — are rate-limited by IP address to prevent automated abuse. Requests that exceed these limits receive an HTTP 429 response. Message content submitted to the public chat assistant is bounded in size and history depth to limit exposure of AI API resources.

Email Security

Transactional emails (account confirmations, password resets, toolkit deliveries) are sent through an authenticated SMTP relay using TLS. Password reset links are single-use, time-limited tokens.

Ongoing Security Practices

We run automated dependency vulnerability scans and static application security testing (SAST) as part of our development process. Identified vulnerabilities are triaged and remediated based on severity, with critical issues addressed as the top priority.

We follow the principle of least privilege: each component of our infrastructure is granted only the permissions it requires to function.

Data Breach Response

In the event of a security incident affecting your organization's data, Donor Moves LLC will notify affected organizations without undue delay and in accordance with applicable state breach notification laws. Notifications will describe what occurred, what data was affected, and the steps we are taking to respond. To report a suspected breach of your account, contact us immediately at privacy@donormoves.net.

Data Retention & Deletion

Your organization's donor records and content belong to you. If you close your account, your data remains accessible for up to 90 days so you can export it. After that window, your account and all associated data — including all donor records, interactions, gifts, and team member accounts — are permanently deleted. You may request earlier deletion by contacting us at privacy@donormoves.net. We will acknowledge deletion requests within 10 business days. We will also instruct any third-party service providers who have received your data to delete it in accordance with their contractual obligations to us.

We do not sell your personal information. We share data only with service providers who help us operate the platform — such as our payment processor and hosting provider — under contractual obligations that prohibit any other use. See our Privacy Policy for the full list.

For full details on your data rights, see our Privacy Policy.

Responsible Disclosure

If you discover a security vulnerability in Donor Moves, please report it to us at support@donormoves.net with a description of the issue and steps to reproduce it. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. We ask that you give us reasonable time to address the issue before any public disclosure.

Donor Moves LLC will not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy.

This page describes our security practices for U.S.-based operations. If your organization processes data from donors in the European Union or United Kingdom, contact us at privacy@donormoves.net to discuss applicable obligations.

Questions

If you have questions about our security practices, contact us at support@donormoves.net. For privacy-specific requests, email privacy@donormoves.net.