DonorsBase-logoSign Up
DonorsBase iconDonorsBase← Back to home

Security & Compliance

Effective date: January 1, 2026

1. Our approach to security

Orthoplex Solutions operates DonorsBase as a multi-tenant software platform that handles donations and donor records on behalf of charities and non-profit organizations. We treat the security and privacy of that data as core product requirements. This page summarises the controls we maintain. It is written for charity administrators, donors, and the IT and compliance teams that review platforms like ours.

2. An Orthoplex product

DonorsBase is built and operated by Orthoplex Solutions. Every Orthoplex product follows the same internal security standards covering secure software development, infrastructure hardening, access management, change control, vulnerability management, vendor review, and incident response. The controls described on this page are the DonorsBase-specific application of those standards. More information about Orthoplex Solutions is available at https://orthoplexsolutions.com.

3. Data encryption

  • In transit: every connection to and from DonorsBase is encrypted using modern transport-layer security. Plaintext access is rejected.
  • At rest: the databases and backups that hold customer data are encrypted at rest at the storage layer, with keys managed by a hardened key-management service.
  • Sensitive credentials: passwords are stored as one-way hashes using a modern password-hashing function. Sensitive third-party credentials used by integrations are stored in encrypted form.

4. Payment security

Card numbers and bank-account details are collected directly by regulated payment processors using their hosted, tokenised fields. DonorsBase never sees, stores, or transmits a primary account number. This dramatically reduces PCI-DSS scope for the charities that use the platform.

Inbound payment notifications are signature-verified before they are accepted, so a third party cannot forge a payment event into the system.

5. Multi-tenant isolation

Each charity using DonorsBase operates in its own logical tenant. Donor records, donations, communications, integrations, and reports are scoped to the tenant on every read and write. A donor's data is never visible to a charity that did not receive the donation, and a charity's records are never visible to another charity on the platform.

6. Access controls and least privilege

  • Charity-side staff accounts use role-based permissions with a least-privilege default. Roles can be tailored per user so finance staff can review donations without modifying donor records, fundraisers can edit donors without seeing the audit log, and so on.
  • Two-factor authentication is available for staff accounts and required for senior administrative roles.
  • Internal Orthoplex Solutions staff access to production systems is granted only to a small number of named engineers, requires multi-factor authentication, and is reviewed on a regular cadence.
  • Customer-support impersonation, when used, is recorded with the support agent's identity and the actions taken so the charity has a complete record.

7. Audit logging

Administrative actions inside a charity's account — donor edits, refunds, role changes, integration changes — are recorded in an audit log with the actor, the timestamp, and the change made. The audit log is retained for the period documented in our data-retention policy and is available to charity administrators for review.

8. Backups and disaster recovery

Customer data is backed up on a regular schedule with encrypted, off-site copies. Backups support point-in-time recovery so we can restore to a specific moment in the recent past. Restore procedures are exercised on a recurring cadence so that we know — not just hope — they work.

9. Vendor and subprocessor management

DonorsBase relies on a small number of carefully chosen subprocessors for hosting, payment processing, email delivery, analytics, and similar functions. Each subprocessor is reviewed for security posture and binding data-protection obligations before being engaged. A current list of subprocessors is available to customers on request.

10. Donor data and privacy rights

  • Each charity is the data controller for its donors; Orthoplex Solutions acts as the data processor. Charities are responsible for obtaining the consents the law in their jurisdiction requires.
  • We support donor rights aligned with GDPR, UK GDPR, and CCPA / CPRA: access, correction, export, and erasure. Charities can fulfil these requests for their donors through the platform.
  • Marketing emails carry one-click unsubscribe and a suppression list that is honoured across all sends — not just the next campaign.
  • Privacy questions can be sent to support@donorsbase.com.

11. Incident response

We maintain an incident-response process covering detection, triage, customer communication, and post-incident review. In the event of a confirmed security incident affecting a customer's data, we notify the affected customers without undue delay and in line with applicable data-protection law.

12. Compliance posture

  • PCI-DSS: cardholder data is processed by regulated payment partners; DonorsBase itself is built to remain out of cardholder-data scope.
  • GDPR / UK GDPR: we offer the operational capabilities customers need to comply, including processor agreements, donor data export, and donor data erasure.
  • CCPA / CPRA: comparable export and deletion rights are supported for donors with applicable California ties.
  • Independent attestations: we are pursuing recognised third-party security attestations on a published timeline; current customers can request the latest status of that work.

13. Responsible disclosure

If you believe you have found a vulnerability in DonorsBase, please email support@donorsbase.com with a description and steps to reproduce. We acknowledge reports promptly, work the issue through to a fix, and credit researchers who follow responsible-disclosure practices. We ask that researchers do not access data that is not their own, avoid disruption to the platform, and give us a reasonable window to address the issue before public disclosure.

14. Data residency

Production data is hosted in regions designed to serve our primary customer base. Customers with specific regional residency requirements can discuss options with us; enterprise customers can also discuss dedicated environments.

15. Updates to this page

We may update this page as the platform and our compliance program evolve. Material changes will be reflected in the effective date above.

16. Contact

For security and privacy questions, email support@donorsbase.com. More about Orthoplex Solutions: https://orthoplexsolutions.com.

Privacy PolicyTerms & Conditionssupport@donorsbase.com

DonorsBase-logo

Donor management, donations, and stewardship — built for charities and nonprofits, with every feature in every plan.

Product

  • Features
  • Pricing
  • FAQ

Solutions

  • For charities
  • For non-profits
  • For donors

Legal

  • Privacy
  • Terms
  • Security & compliance
© 2026 DonorsBase. All rights reserved.
PrivacyTermsSecurity & compliance