Volunteeria recognises that the confidentiality, integrity and availability of your organisation's data are vital to your operations and to the privacy of your volunteers. Security and data protection are built into the platform from the ground up - not bolted on afterwards - and our protocols are reviewed regularly.
We also believe in being straightforward. If you have questions from your trustees or a procurement team, we are happy to give honest, plain-English answers, complete your security or data-protection questionnaire, and put a Data Processing Agreement (DPA) in place so your obligations are covered clearly in writing.
Data Isolation
Each organisation's data lives in its own isolated PostgreSQL schema. There is no shared database space, no risk of data leakage between tenants, and no possibility of one organisation accessing another's volunteers, tasks, or messages.
- One schema per organisation
- Complete separation of volunteer records
- No cross-tenant queries possible
Encryption
All data transmitted between your browser and Volunteeria is encrypted in transit with HTTPS (TLS). Passwords are never stored in plain text - they are salted and hashed using PBKDF2-SHA256, an industry-standard algorithm. Uploaded files are stored securely with access restricted to authenticated users within your organisation.
- TLS encryption for all traffic
- Salted PBKDF2-SHA256 password hashing
- Secure, access-controlled file storage
Access Control
Organisation admins retain full control over who can access what. Role-based permissions ensure coordinators only see what they need, while admins manage settings, staff, and sensitive volunteer data. Access can be revoked instantly.
- Admin and coordinator roles
- Per-organisation permission boundaries
- Instant access revocation
Infrastructure
Volunteeria runs on Render's managed enterprise cloud infrastructure with Cloudflare protection in front. The PostgreSQL database is not exposed to the public internet, and automated daily backups mean your data can be recovered if the unexpected happens.
- Managed enterprise cloud hosting
- Cloudflare DDoS and SSL protection
- Database isolated from the public internet
- Automated daily backups
Audit & Compliance
Every significant change is logged. View per-volunteer audit trails, organisation-wide activity logs, and system audit records. Staff must accept terms of service, with legal acceptance tracked including timestamp and IP address.
- Full audit trails per volunteer
- Organisation activity logs
- Terms acceptance tracking
- GDPR data export and deletion
Session Security
Sessions expire after one hour of inactivity. Cryptographically random session tokens prevent stale requests from maintaining access after logout. CSRF protection guards against cross-site request forgery on all forms.
- 1-hour inactivity timeout
- Cryptographic session tokens
- CSRF protection on all forms
- Rate limiting on sensitive endpoints
Data Residency & Hosting
Volunteeria runs on secure enterprise cloud infrastructure, and every organisation's data is encrypted in transit and at rest. If your charity has a specific requirement to keep data within the European Economic Area (EEA), we can host your data in the EEA - just ask, and we will confirm the arrangement in writing.
- Encrypted in transit and at rest
- EEA data residency available on request
- Data Processing Agreement (DPA) available
- Happy to complete your security questionnaire
Additional security practices
Error monitoring
Sentry error tracking monitors the platform for issues. All error reports are scrubbed of PII before transmission - passwords, tokens, cookies, email addresses, and IP addresses are never sent to external services.
Database migrations
Schema changes are applied automatically and safely. New columns are added only when missing, with no destructive operations. This ensures data integrity is preserved during platform updates.
Email verification
All staff and volunteer accounts require email verification before full activation. Password reset tokens expire after 24 hours. Staff invitation tokens expire after 7 days.
Data policy
We provide clear data policies for both staff and volunteers. Organisations can export volunteer data at any time. Volunteers can request account deletion, with staff approval workflows ensuring responsible data handling.