Your Data Security Is Our Priority
We implement industry-standard security practices to protect your organization's data. Here is an honest overview of the measures we have in place today.
Our Security Commitment
As a platform trusted by nonprofits to manage sensitive program and participant data, we understand the responsibility that comes with that trust. We are committed to protecting your information with robust, transparent security practices.
We believe in being straightforward about what we do and where we are headed. Below you will find an honest description of our current security measures and our roadmap for formal compliance certifications.
Current Security Practices
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS/HTTPS. This ensures that your information cannot be intercepted or read by unauthorized parties during transmission.
Secure Authentication
User authentication is handled through OAuth 2.0, an industry-standard protocol. Sessions are managed with signed, HTTP-only cookies that protect against cross-site scripting attacks. No passwords are stored on our servers.
Enterprise-Grade Infrastructure
Our application runs on managed cloud infrastructure with automatic scaling, redundancy, and regular backups. The database is hosted on TiDB, a distributed SQL platform with built-in high availability.
Role-Based Access Control
Organizations can manage team members with role-based permissions. Only authorized users within your organization can access your data. API keys and secrets are stored securely and never exposed to the client.
PCI-Compliant Payments
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store, process, or have access to your credit card numbers or payment details.
Cloud-Hosted Data Storage
Your data is stored on cloud infrastructure provided by reputable providers. File storage uses Amazon S3 with access controls. We are evaluating data residency options for organizations with specific geographic requirements.
Your Data Belongs to You
We believe your data is your property. You maintain full ownership and control over all information you enter into Instrumento.io. We do not sell, share, or use your data for advertising purposes.
You can export your data at any time through our dashboard export features. If you choose to close your account, we will delete your data from our systems upon request.
Our Data Promise
- Your data is never sold to third parties
- Your data is never used for advertising
- You can export your data at any time
- Data is deleted upon account closure request
Our Compliance Roadmap
We are actively working toward formal security certifications. While we do not hold these certifications today, here is our planned path forward.
Current: Security Best Practices
Implementing and documenting industry-standard security controls, encryption, access management, and incident response procedures.
Next: SOC 2 Type I
Working toward a point-in-time assessment of our security controls by an independent auditor, validating our security posture.
Future: SOC 2 Type II
Pursuing continuous compliance certification that demonstrates our security controls are effective over an extended review period.