Volunteeria recognises that the confidentiality, integrity and availability of your organisation's data are vital to your operations and the privacy of your volunteers. We have built a culture that places the utmost importance on security and data protection, with frequent reviews of our security protocols and adherence to the highest industry standards.
Data Isolation
Each organisation's data lives in its own isolated PostgreSQL schema. There is no shared database space, no risk of data leakage between tenants, and no possibility of one organisation accessing another's volunteers, tasks, or messages.
- One schema per organisation
- Complete separation of volunteer records
- No cross-tenant queries possible
Encryption
All data transmitted between your browser and Volunteeria is encrypted with HTTPS. Passwords are hashed using industry-standard bcrypt. Uploaded files are stored securely with access restricted to authenticated users within your organisation.
- TLS encryption for all traffic
- Bcrypt password hashing
- Secure file storage
Access Control
Organisation admins retain full control over who can access what. Role-based permissions ensure coordinators only see what they need, while admins manage settings, staff, and sensitive volunteer data. Access can be revoked instantly.
- Admin and coordinator roles
- Per-organisation permission boundaries
- Instant access revocation
Infrastructure
Volunteeria runs on Render's managed infrastructure with Cloudflare protection. Our PostgreSQL database is not accessible from the public internet. Automatic point-in-time recovery backups ensure your data is always recoverable.
- Render managed hosting
- Cloudflare DDoS and SSL protection
- Database isolated from public internet
- Point-in-time recovery backups
Audit & Compliance
Every significant change is logged. View per-volunteer audit trails, organisation-wide activity logs, and system audit records. Staff must accept terms of service, with legal acceptance tracked including timestamp and IP address.
- Full audit trails per volunteer
- Organisation activity logs
- Terms acceptance tracking
- GDPR data export and deletion
Session Security
Sessions expire after one hour of inactivity. Cryptographically random session tokens prevent stale requests from maintaining access after logout. CSRF protection guards against cross-site request forgery on all forms.
- 1-hour inactivity timeout
- Cryptographic session tokens
- CSRF protection on all forms
- Rate limiting on sensitive endpoints
Additional security practices
Error monitoring
Sentry error tracking monitors the platform for issues. All error reports are scrubbed of PII before transmission - passwords, tokens, cookies, email addresses, and IP addresses are never sent to external services.
Database migrations
Schema changes are applied automatically and safely. New columns are added only when missing, with no destructive operations. This ensures data integrity is preserved during platform updates.
Email verification
All staff and volunteer accounts require email verification before full activation. Password reset tokens expire after 24 hours. Staff invitation tokens expire after 7 days.
Data policy
We provide clear data policies for both staff and volunteers. Organisations can export volunteer data at any time. Volunteers can request account deletion, with staff approval workflows ensuring responsible data handling.