Security

Backups & recovery

• Daily automated Postgres dumps of the production database, taken at 09:00 UTC by a dedicated Railway cron service.
• Stored off-site in a private Backblaze B2 bucket that is separate from our database provider. A single-vendor outage cannot lose your data.
• Encrypted in transit (TLS) and encrypted at rest by the storage provider.
• Integrity-verified on every run: gzip checksum plus row-count sanity checks on core tables (organizations, campaigns, donations, audit logs).
• Limited retention with automatic deletion of old files — we keep what we need to recover, not a permanent archive.
• Failure alerting: if a backup run fails, an email alert is sent to the operations address immediately.

Payment security

• All payments are processed by Stripe. ScanRaise never stores, transmits, or sees full card numbers or bank account details.
• PCI-DSS compliance for card handling is Stripe's responsibility (they are certified at the highest level, PCI-DSS Level 1).
• Donations flow directly to the organization's own Stripe Connect account. ScanRaise takes a 2.5% platform fee and never holds your money in escrow.
• Every inbound Stripe webhook is cryptographically signature-verified before it can change state in our system.

Account security

• No passwords. Sign-in is by one-time email magic link or by a passkey (WebAuthn) — the same Touch ID / Face ID / Windows Hello credential stored on your device.
• Because there's no password, there's nothing for us to leak and nothing for an attacker to phish or reuse from another breach.
• Session cookies are HttpOnly, HMAC-signed, and scoped to scanraise.com. They carry no secrets — just a reference to a server-side session that can be revoked at any time.
• Automatic inactivity timeouts: 30 minutes for organization users, 15 minutes for platform admins.
• Rate limits on every authentication endpoint: magic-link requests are capped at 5 per minute per IP.

Schools, students, and student data

• SDPC-registered vendor (Student Data Privacy Consortium).
• COPPA and FERPA compliant — the platform is designed so that fundraiser participants are identified by first name and last initial only, entered by adult organizers, never by children directly.
• Clever SSO and ClassLink SSO integrations for K-12 districts that already have a rostering and identity provider.
• We do not sell or share student data with advertisers, marketers, or data brokers. Ever.
• If a district or school asks us to delete their data, we do — and we tell you when it's done.

Transport & platform

• HTTPS everywhere with HSTS and preload — browsers will refuse to connect to ScanRaise over plain HTTP.
• Strict Content-Security-Policy on every HTML response: no inline scripts, no unsafe-eval, whitelisted origins only.
• Hardened response headers: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Permissions-Policy.
• Running a live test suite on every change; the most recent external penetration test was run on 2026-04-14 and every finding was shipped as a fix before launch.

Email integrity

• SPF, DKIM, and DMARC are all configured and passing on our sending domains, so receiving mail servers can verify that an email really came from ScanRaise.
• All transactional email (magic links, donation receipts, notifications) is sent through a verified sender. We don't hand your donor list to third-party marketing tools.

Insurance

• StanHattie LLC, which operates ScanRaise, carries General Liability and Errors & Omissions coverage through Next Insurance. Verify coverage.

Reporting a vulnerability

Found something that looks off? Email support@scanraise.com with [Security] in the subject line. We don't run a paid bug bounty yet, but we read every report, triage quickly, and credit responsible disclosure here when the reporter consents.