Start a CharitMe
Home > Security

Security at CharitMe

We take security seriously. Here is how we protect your account, payments, and data.

Payment Security

  • Stripe PCI DSS Level 1 — All card payments are processed by Stripe, the highest-certified payment processor. CharitMe never sees, stores, or handles your card number, CVV, or bank account details.
  • 3D Secure / SCA — Strong Customer Authentication is supported for European and other regulated transactions.
  • Webhook signature verification — All Stripe webhook events are verified using HMAC-SHA256 signatures before processing.

Infrastructure

  • Supabase Postgres — All data is stored in Supabase with Row Level Security (RLS) policies enforced at the database level. Users can only access their own data.
  • HTTPS everywhere — All traffic is encrypted in transit using TLS 1.2+. HTTP requests are automatically redirected to HTTPS.
  • Serverless API routes — API endpoints run in isolated serverless functions (Vercel Edge Network). No persistent server processes.
  • Supabase Auth — Sessions use secure, HTTP-only cookies with PKCE. Google OAuth sessions are server-initiated to prevent code verifier exposure.

Access Controls

  • Row Level Security — Database queries are restricted so organizers can only read/write their own campaigns, donors their own donations, and admins see everything with audit trail.
  • Service role key isolation — The Supabase service role key (bypasses RLS) is never included in client bundles. It is only used in server-side API route handlers that have already verified authentication.
  • Admin email gating — The admin console is protected by verified admin email list and database role check, in addition to session authentication.

Identity Verification

  • Stripe KYC — Organizers must complete Stripe Connect identity verification (name, DOB, address, SSN last 4) before payouts are enabled.
  • Trust Score — An AI-computed trust score (0–100) is visible on every campaign. It reflects identity verification, story quality, and fundraising activity.
  • Verified badge — Campaigns with fully verified organizers display a CharitMe Verified badge.

Data Protection

  • No PII logging — We do not log email addresses, full names, IP addresses, or card data in application logs.
  • Input validation — All API inputs are validated with Zod schema validation before any database operation.
  • SQL injection prevention — All queries use parameterized statements via the Supabase JS SDK. User input is never concatenated into SQL.
  • CSRF protection — State-changing operations require authenticated sessions with server-verified tokens.

Vulnerability Disclosure

If you discover a security vulnerability, please email security@charitme.com immediately. Do not disclose publicly until we have had 90 days to respond and patch. We appreciate responsible disclosure.

Updates

This page is updated when security controls change. Last reviewed: May 2025.