Back to home

Trust & Security

Last updated: 9 April 2026

Impact Cloud is built for organisations that need reliable, auditable collaboration around programmes and finance. This page summarises our posture; detailed internal references are maintained in our open documentation for customer due diligence.

Security practices (summary)

  • Multi-tenant isolation in the database using row-level access controls.
  • Encryption in transit (HTTPS/TLS) for users and service integrations.
  • Authentication via Supabase; session and CSRF protections in the application layer.
  • Webhook authenticity for payment partners (HMAC-verified inbound events).
  • Logging designed to avoid unnecessary personal data and full LLM content in production logs.

For a fuller narrative, request our Security overview document (see repository docs/compliance/SECURITY_OVERVIEW.md for the team — customers receive a PDF or link as appropriate).

Subprocessors

We rely on subprocessors for hosting, database, authentication, maps, optional analytics, and optional AI APIs. Key names include Vercel, Supabase, MassPay, and, when configured, LLM providers (OpenAI, Anthropic, Google) and Mixpanel. A tabular register is maintained in SUBPROCESSORS.md in our documentation pack.

Payments / PCI scope

Card data is handled by MassPay (or your configured PSP). Impact Cloud does not store full card numbers in standard product databases. See PCI_SCOPE.md in our compliance pack.

Privacy

See our Privacy Policy. For data subject requests, contact privacy@impact.cloud (update for production).

Organisation controls

We maintain lightweight policies (access, incidents, vendors, secure development) and an evidence calendar for recurring reviews. Formal SOC 2 or ISO 27001 certification is optional; see CERTIFICATION_PATH.md in our internal docs.

Operational contact and customer-specific assurances may be provided under NDA or in your order form.