Security & Compliance
Your campaign data deserves enterprise-grade protection. Here's how we deliver it.
Our Security Commitment
Political campaigns handle sensitive data: donor information, voter contacts, strategic plans, opposition research. A breach doesn't just cost money—it can cost elections.
We take security seriously. Our platform is built from the ground up with security as a core design principle, not an afterthought.
Data Protection
Encryption Everywhere
Every piece of data that flows through Civitas is protected by industry-leading encryption. When your campaign staff access the platform from their browsers or mobile apps, all communications travel through TLS 1.3, the latest and most secure transport protocol available. Once data reaches our servers, it's encrypted at rest using AES-256 encryption—the same standard used by banks and government agencies to protect their most sensitive information. This means that even in the extraordinarily unlikely event of a physical server breach, your donor lists, voter contacts, and strategic documents would remain unreadable to anyone without the proper cryptographic keys.
Access Controls
Campaigns involve many people with different roles and responsibilities, and not everyone needs access to everything. Civitas implements comprehensive role-based access controls that let campaign managers define exactly who can see what. Your finance director can access donor information without seeing opposition research files. Your field organizers can update voter contacts without accessing high-dollar donor records. Every access is logged in detailed audit trails that show exactly who viewed or modified what, and when. If you ever need to investigate an internal security question or prepare for an audit, the records are there.
Secure Authentication
Weak passwords are one of the most common entry points for security breaches, and political campaigns are frequent targets. Civitas supports modern authentication practices that dramatically reduce this risk. Enable two-factor authentication to require something beyond just a password—a code from an authenticator app or a physical security key. For organizations with their own identity infrastructure, we integrate with major single sign-on providers so your team can use their existing corporate credentials. We also support integration with your organization's identity provider for centralized access management. The days of shared logins and sticky-note passwords are over.
Infrastructure Security
SOC 2 Compliance
Our infrastructure meets SOC 2 Type II standards for security, availability, and confidentiality. We undergo regular third-party audits to verify compliance.
US-Based Data Centers
All data is stored in US-based data centers operated by leading cloud providers. Geographic redundancy ensures your data is protected against regional outages.
Regular Security Audits
We conduct regular penetration testing, vulnerability assessments, and code reviews. Third-party security firms verify our practices annually.
Incident Response
Our security team monitors systems 24/7. In the unlikely event of an incident, our response plan ensures rapid containment, investigation, and communication.
FEC Compliance
Automated Reporting
DonorSense includes built-in FEC compliance features that automate disclosure reporting, reducing errors and saving hours of manual work.
Contribution Limits
Automatic tracking of individual and aggregate contribution limits. Get alerts before limits are exceeded, not after.
Employer/Occupation Tracking
Required donor information is collected and validated at the point of entry. No more chasing donors for missing data before deadlines.
Audit Trails
Complete audit trails for all financial transactions. If the FEC comes knocking, you'll have the records they need.
State Compliance
Beyond federal requirements, we support state-specific disclosure requirements across all 50 states.
Data Privacy
You Own Your Data
Your data belongs to you. Period. We don't sell it, share it, or use it for anything except providing our service to you.
Data Portability
Export your data at any time in standard formats (CSV, JSON). If you leave Civitas, your data comes with you.
Retention Policies
Configure data retention policies that match your organization's requirements. Delete data when you no longer need it.
Privacy by Design
We collect only the data necessary to provide our service. We don't track more than we need, and we're transparent about what we do collect.
Compliance Certifications
- SOC 2 Type II Compliant
- GDPR Ready
- CCPA Compliant
- FEC Approved Methods
Physical Security
Data Center Security
Our cloud providers maintain 24/7 physical security, biometric access controls, and video surveillance at all data center facilities.
Employee Security
All Civitas employees undergo background checks. Access to production systems is limited to essential personnel and reviewed regularly.
Disaster Recovery
Geographic Redundancy
Data is replicated across multiple geographic regions. A disaster in one location doesn't mean data loss.
Regular Backups
Automated backups occur continuously. Point-in-time recovery is available for the past 30 days.
Tested Recovery Procedures
We regularly test our disaster recovery procedures to ensure we can restore service quickly when needed.
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly to [email protected]. We take all reports seriously and will respond within 24 hours.
Questions?
Security Team: [email protected]
Compliance Inquiries: [email protected]
General Support: [email protected]
Security is not a feature—it's a foundation. Everything we build starts here.