Our approach
Workspace isolation
Every organization’s workspace is isolated. Every database query in the product is scoped to your workspace, and that rule is enforced by an automated check that runs on every build: code that touches workspace tables without workspace scoping fails and cannot ship. The application connects to the database with a least-privilege role, and row-level security in the database provides defense in depth behind the application checks. Public identifiers for people are deliberately non-sequential, so records cannot be enumerated by walking IDs.
Account security
Passwords are hashed with argon2id (64 MB memory cost), the current best practice, and are never stored or logged in plain text. At signup, passwords are checked against known breach corpora and you are warned before choosing one that has leaked elsewhere. Passkeys (WebAuthn) are supported for phishing-resistant sign-in. Two-factor authentication challenges sign-ins from a new device or location with a short-lived one-time code, and workspace admins can require 2FA for everyone in the organization. Sessions use a short-lived access token plus a refresh token kept in an HttpOnly, secure cookie that page scripts cannot read. Session and refresh tokens are stored server-side only as SHA-256 hashes, so a database leak does not yield usable sessions. Sessions expire after 24 hours, or 30 days with “remember me”, and you can see and revoke your active sessions. Abuse resistance: sign-in attempts are rate limited per IP, verification codes expire in minutes and allow limited attempts, and sign-in responses are constant-time so attackers cannot discover which emails have accounts.
Encryption
All traffic is encrypted in transit with TLS, with HSTS enforced. The application sets a strict content security policy and does not allow itself to be framed by other sites. Database connections are encrypted, and stored data is encrypted at rest by the hosting platform. OAuth tokens for connected mailboxes (Gmail, Microsoft 365) get an extra application-level layer: AES-256-GCM encryption with a key held outside the database. Secrets that only need comparison (session tokens, verification codes, reset codes, volunteer device sessions) are stored as one-way hashes, never as plaintext.
Field and volunteer access
Payments
Integrations and webhooks
Every inbound webhook is authenticated before we act on it: Stripe events by signature, SendGrid events by ECDSA signature, and Postmark events by a shared token compared in constant time. Mailbox sync is opt-in per workspace, scoped by OAuth consent, disconnectable at any time, and its tokens are encrypted as described above. API keys for integrations are generated per workspace and revocable.
Sending protections
Infrastructure, residency and backups
The platform runs on Microsoft Azure, with workspaces hosted in Canada by default; Movement workspaces choose their region (Canada, US, EU or UK) at creation and stay there for processing and backups. The marketing site and public pages are served from Cloudflare’s edge with strict TLS between the edge and our origin. Databases are backed up automatically every day, with backups retained for 7 days in the workspace’s region. Deleted data therefore leaves backups within 7 days of leaving the live database.
Audit trails
What we do not claim
Reporting a vulnerability
Questions about this document?
Write to [email protected] and a human replies. We are happy to walk through any of it.
