Security & Trust
CiviPortal is designed for public-sector transparency workflows, with a focus on protecting administrative access, separating tenant data, and using reputable infrastructure providers.
Infrastructure & Subprocessors
We rely on established providers for core infrastructure. Many of these providers publish third-party audit reports (for example, SOC 2) and security documentation. We can share a current subprocessors list upon request.
| Component | Provider | Purpose | Notes |
|---|---|---|---|
| Application Hosting | Vercel | Web hosting & delivery | Provider security/compliance documentation available |
| Database & Auth | Supabase | Data storage and authentication services | Provider security/compliance documentation available |
| DNS / Edge Security | Cloudflare | DNS, caching, and protective controls | Provider security/compliance documentation available |
Data Protection
Encryption
- In transit: HTTPS/TLS for traffic between users and the service
- At rest: encrypted storage provided by managed infrastructure/database services
- Backups: backup strategy depends on plan/configuration; details available upon request
Tenant isolation
- Tenant-scoped access: requests are scoped to the correct organization
- Database controls: row-level policies may be used where configured
- Public vs admin: public pages are accessible by design; admin actions require authorization
Access Control
Authentication
- Administrative access requires authentication
- Session controls are designed to reduce unauthorized access
- Exact authentication mechanisms may vary by deployment configuration
Role-Based Access (RBAC)
- Roles control access to administrative actions (uploads, configuration, user management)
- Least privilege design: grant only what staff need
Incident Response
We maintain an incident response process. If we become aware of a security incident that impacts a client’s non-public operational data (such as administrative access or portal configuration), we aim to notify affected clients promptly and provide relevant details as they are confirmed.
Notification timing may depend on applicable law and contractual requirements.
Security Questions?
If your IT team has a security questionnaire or procurement requirements, email us and we’ll respond with the most current documentation.
Email: hello@civiportal.com