Security

Your financial data
deserves serious protection.

Nonprofit financial data is sensitive — donor records, grant details, payroll, board compensation. We treat it that way. Here’s exactly how Ciste is built to protect it.

Pre-launch transparency

Ciste is currently in development. The commitments on this page describe our architecture decisions and principles — not certifications yet earned. We plan to pursue SOC 2 Type II certification as the product matures. We will update this page as our security posture evolves.

Core commitments

How we protect your data.

🔐

Encryption everywhere

All data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Encryption is not optional and cannot be disabled. Your financial records are never transmitted or stored in plaintext.

🏗️

Schema-per-tenant isolation

Each organization's data lives in a completely separate database schema — not just a column filter. A software bug or misconfiguration cannot cause one organization's data to appear in another's account. This is a structural guarantee, not a policy.

👥

Role-based access controls

Six distinct roles control what each user can see and do: read-only board access, data-entry bookkeeper access, full admin, external accountant portal, period-adjustment role, and organization owner. No user can access more than their role permits.

📋

Immutable audit trail

Every transaction, edit, and user action is recorded in a tamper-evident version history. Records cannot be silently altered. If something changes, the history shows what changed, when, and who made the change — exactly what auditors need.

🚫

Your data is never sold

Ciste's business model is subscriptions. Your organization's financial data is never sold, shared with advertisers, or used to train external models. The data you enter belongs to your organization.

📦

Data portability

You can export your complete data at any time — all transactions, journal entries, fund balances, and documents — as a ZIP archive of CSV files and PDF reports. No lock-in, no ransom, no waiting for permission.

Infrastructure

What runs under the hood.

Hosting
Cloud infrastructure with SOC 2 Type II certified providers
Database
PostgreSQL with schema-per-tenant isolation and encrypted backups
Authentication
Secure session management with role-based permission enforcement
Payments
Stripe — Ciste never stores credit card numbers
Email delivery
Authenticated transactional email with DKIM and SPF
Backups
Automated daily backups with point-in-time recovery
Access controls

The right people see the right things.

Financial data requires careful access control. A board member reviewing the annual budget shouldn’t have the same access as the bookkeeper entering transactions — and neither should have access to another organization’s records.

Ciste enforces role-based permissions at the application layer, with the schema-per-tenant isolation providing a second, structural layer of protection beneath it. Both layers must be breached for a cross-organization data leak to occur.

User roles
Organization owner
Full access, billing management, user invitations
Admin
Full accounting access, user management, no billing
Bookkeeper
Transaction entry, reconciliation, reports
Period adjustment
Bookkeeper access + posting to soft-closed periods
Board member
Read-only financial statements and reports
External accountant
Review and adjust entries via dedicated portal
Responsible disclosure

Found a security issue?

We take security reports seriously and will respond promptly. Please email us directly rather than filing a public issue.

security@cistemission.com

Secure by design.
Trusted by mission.

Join the early access list to be among the first nonprofits to use Ciste.

Get early accessAbout us →