Last updated: April 11, 2026

Security

Nonprofit Runway handles sensitive financial data on behalf of nonprofit organizations. We take that responsibility seriously. This page describes how we protect your data and how to report a vulnerability.

Technical controls

✓ Encryption in transit

All traffic is served over TLS 1.2+. HTTPS is enforced with HSTS (max-age 2 years) in production.

✓ Encryption at rest

Bank access tokens and API keys are encrypted with AES-256-GCM before being stored in the database.

✓ Password security

Passwords are hashed with bcrypt (cost factor 12). Plaintext passwords are never stored or logged.

✓ Account lockout

10 consecutive failed login attempts trigger a 30-minute lockout to prevent brute-force attacks.

✓ Rate limiting

Authentication endpoints are rate-limited to 10 attempts per 15 minutes per IP. API calls are limited to 200 per 15 minutes.

✓ Role-based access control

Three roles (member, admin, platform_admin) control access to sensitive operations. Every admin action is recorded in an immutable audit log.

✓ Session security

Authentication uses JWT tokens stored in HttpOnly, Secure, SameSite=Lax cookies. Tokens expire after 30 days.

✓ Geolocation monitoring

Logins from outside the United States are flagged in the audit log for security review.

Infrastructure

Nonprofit Runway is hosted on Render, a SOC 2 Type II certified cloud platform. All data is stored in the United States. Render provides DDoS protection, automatic TLS certificate management, and infrastructure-level security controls.

Our PostgreSQL database is a managed Render PostgreSQL instance with automated backups, point-in-time recovery, and network-level access restrictions.

Plaid integration

Bank connections use Plaid's Link interface, which handles your bank credentials directly. Nonprofit Runway never sees or stores your bank username or password. We receive only an encrypted access token from Plaid, which is re-encrypted with our own AES-256-GCM key before being stored.

We participate in Plaid's webhook notification system so that we are alerted if a bank connection is revoked or encounters an error, and we surface that status in your admin panel.

Responsible disclosure

Report a vulnerability

If you discover a security vulnerability in Nonprofit Runway, please report it responsibly by emailing security@nonprofitrunway.com.

Please include a description of the vulnerability, steps to reproduce, and the potential impact. We aim to respond within 24 hours and will keep you informed as we investigate and resolve the issue.

We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it (typically 30 days). We do not currently offer a bug bounty program, but we deeply appreciate responsible disclosure.