Trust

Your donors' data, protected by design.

ThankFirst holds sensitive donor information for multiple organizations, so tenant isolation and data protection are existential — not an afterthought. Here's how it works, in plain English.

Database-layer isolation

Every organization's data is isolated by Row-Level Security on every table — enforced by the database, not the UI, and tested adversarially on every build.

Role-scoped access

Five least-privilege roles. Committee members see only their assigned donors — never wealth data. Board viewers see aggregates only, no PII.

Audit trail

Data exports and every ask-timing override (with justification) are recorded in an append-only audit log.

You own your data

Full CSV/JSON export any time, and deletion on request. No lock-in — your donors are always yours.

Tenant isolation, enforced by the database

Every organization's data is isolated by Row-Level Security on every table — enforced by Postgres, not the UI. A user in one organization physically cannot read or write another's rows, even with a hand-crafted API call. An automated adversarial test suite attempts cross-tenant access on every build and must pass before any release ships.

Least-privilege roles

Five roles with scoped access. Committee members see only their personally assigned donors and never wealth-capacity data. Board viewers see aggregate dashboards with no donor personal information and no export. The platform-owner plane is fully separated from tenant data.

Audit trail

Sensitive actions are recorded in an append-only audit log — including data exports and every ask-timing override with the justification the user entered, plus role changes and imports.

Encryption & infrastructure

Data is encrypted in transit (TLS) and at rest through our infrastructure providers. Application secrets are used server-side only and are never shipped to the browser. Subprocessors: Supabase (database, auth, storage), Vercel (hosting), Stripe (billing), and a transactional email provider.

You own your data

Every organization can export its complete dataset (CSV/JSON) at any time, and request deletion of its organization or individual donor records. No lock-in.

A formal pre-launch security review — including third-party penetration testing, auth rate-limiting, and security headers — is part of our launch process. We provide a Data Processing Addendum on request. See our Privacy Policy and Terms of Service. Questions? security@thankfirst.com.