One platform for everything you sell, share, and organize.
Security
Your data. Your customers.
Not ours to sell.
Privacy and security are cornerstones of how we built this platform — not ornaments we'll apply when an audit calls.
Encryption in transit and at rest
Customer data travels over TLS 1.3 and is stored with AES-256 encryption managed through Rails' Active Record encryption. Personal data fields (names, addresses, phone numbers, notes) use non-deterministic encryption; columns we must look up by value (email, API keys) use deterministic encryption. Equipoise holds the keys necessary to operate the Service — this is not end-to-end encryption.
Defense in depth
Rate limiting on public endpoints (Rack::Attack). Cloudflare Turnstile bot protection on signup, login, password reset, and magic-link flows. HMAC-signed tokens for confirmation, reset, unlock, and invitation flows with constant-time comparison. Webhook signatures verified before any payload is processed.
No data selling. Ever.
Your mailing list is yours. Your customer behavior is yours. We make money when you succeed, not when we sell access to your audience. We do not share, sell, or use your customers' data to train machine-learning models. This isn't negotiable.
Transparent practices
Our privacy policy is written in plain language. Our subprocessor list is public. Our security commitments are things we actually operate, not badges borrowed from our vendors. If you want to know what we collect and why, ask — we'll tell you clearly.
What we deliberately don't store.
Some data is too sensitive to hold. The architecture is designed so we never have to.
Tax IDs and SSNs
Your SSN or TIN is collected and verified by Stripe during their onboarding — not by us. Stripe uses it directly for 1099-K filing. Nonprofits that opt in to displaying their EIN on donation receipts may store it in their account settings; that field is encrypted at rest, admin-only, and never displayed to other accounts.
No card numbers or bank accounts
Card numbers, CVVs, magnetic stripe data, and bank account details never touch our servers. All payment data is handled by Stripe, which is PCI DSS Level 1 certified. Equipoise's own PCI scope is limited to SAQ A. We receive only a confirmation that payment succeeded.
No government IDs or biometrics
We don't collect government-issued ID images, passport numbers, driver's license numbers, or any biometric data. Identity verification is handled by Stripe.
Why this matters: In 2020, a data breach at a major nonprofit software provider exposed sensitive data from over 13,000 organizations. Data you don't store can't be stolen. The architecture minimizes what we hold so there's less to protect and less at risk.
Append-only financial event log
Financial events — charges, refunds, disputes, payout reconciliations — are written to a dedicated ledger table designed as append-only. Edits to prior events are expressed as new events (a refund event against an original charge), not as in-place mutations. This is how the accounting dashboard reconstructs every dollar that moves through the system.
Processor reconciliation
Every transaction recorded in Equipoise is tied to a Stripe transaction ID. Reconciliation between Equipoise and Stripe happens continuously as webhooks land; discrepancies are surfaced in the accounting dashboard rather than hidden. Financial data is the source of truth we guard most carefully.
Technical security measures
What we actually operate — not badges borrowed from our hosting provider.
Data Protection
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Non-deterministic encryption for PII
- Encrypted database backups
- Tenant-scoped query architecture
Infrastructure
- Hosted on Fly.io (which maintains its own SOC 2 report)
- Cloudflare WAF + DDoS protection
- Rate limiting on public endpoints
- Automated dependency security updates
- Webhook signature verification
Access Control
- Password hashing with bcrypt
- HMAC-signed, purpose-scoped auth tokens
- Role-based permissions (Dashboard, Admin, Account)
- Session management with secure cookies
- Sensitive parameter filtering in logs
Compliance posture
We're honest about what we carry today and what we don't.
PCI DSS — via Stripe
All card data is processed by Stripe, which is PCI DSS Level 1 certified. Equipoise's own scope is limited to SAQ A — we do not receive, store, or transmit cardholder data.
GDPR / CPRA — data subject rights
We support access, export, correction, and erasure for every data subject. The GDPR deletion path anonymizes personal data on request. See our
Privacy Policy for the specific mechanisms.What we don't carry yet
Equipoise is not independently SOC 2, HIPAA, or ISO 27001 certified. If your procurement process requires those, see the "Honest Tradeoffs" section on our
Alternatives page .Responsible disclosure
We take security vulnerabilities seriously. If you discover a security issue, we want to hear about it.
How to report
Email security@equipoi.se with a detailed description of the vulnerability. Include steps to reproduce if possible.
What to expect
- Prompt acknowledgment on receipt
- Regular updates while we investigate
- Credit in our security acknowledgments (if desired)
- Good-faith reports that follow standard responsible-disclosure practice will not face legal action from us
Please give us reasonable time to address issues before public disclosure.
Your data belongs to you
Export anytime. Download your contact, order, donation, ticket, and financial data in standard formats (CSV, JSON) whenever you want. No lock-in, no hostage situations.
Delete on request. Close your account and we anonymize your personal data from production systems within 30 days. Records we're required to retain for tax, legal, or dispute-resolution reasons follow the schedule published in our Privacy Policy — we tell you what sticks around and why.
No training on your data. We don't use your customer data to train machine-learning models or improve our algorithms. Your business is not our product.
Full transparency. Want to know exactly what data we have about you or your customers? Just ask — we'll provide a complete export.