Roster Giving

Security & Compliance

Everything your IT team needs to approve Roster.

SOC 2 Type II aligned. HIPAA-aligned. AES-256 encryption. No payroll API access. US data only.

SOC 2 Type II

HIPAA-Aligned

CSV-Only Architecture

AES-256 Encrypted

US Data Residency

Zero AI Retention

Compliance

SOC 2 Type II

Third-party verified security controls across Security, Availability, Confidentiality, Processing Integrity, and Privacy. Assessed over 6+ months of continuous operation β€” not a one-time snapshot. Hospital IT teams can request our security documentation and SOC 2 readiness assessment.

HIPAA Alignment

Employee roster data (name, email, department, giving history) is not PHI under HIPAA. Roster follows HIPAA-grade security practices anyway β€” encryption, access controls, audit logging. No BAA required.

Payroll Security

No API access to your payroll system. Ever.

Roster eliminates third-party API risk through file-based transfers only. Your payroll system never opens a door to any external service.

Step 1

Generate

Roster generates a CSV with new enrollments and changes.

Step 2

Deliver

File delivered to your payroll team via encrypted email or SFTP.

Step 3

Upload

Your team uploads to payroll β€” same as any other file.

Step 4

Done

Roster never touches your payroll system directly.

How your data flows β€” with zero API access

Architecture

Roster never touches your payroll system directly. File-based transfers eliminate 80% of typical security concerns.

Payroll System Workday / Oracle / ADP / UKG HR / Employee Data Employee roster CSV exports CRM Razor's Edge / Salesforce CSV CSV API Roster Giving Platform AI Segmentation & Messaging Ambassador Management Payroll Automation Workflow Builder Employee Giving Portal Self-service enrollment & updates Board-Ready Reports ROI dashboards & participation metrics CRM Auto-Sync Giving data flows back to your CRM Automated Stewardship Welcome, milestones, impact updates ZERO API ACCESS SOC 2 Β· AES-256 Β· HIPAA-aligned NO API TOKENS No credentials shared
CSV file transfer (encrypted)
Native API integration (CRM only)
No credentials required

IT Security FAQ

What's your SLA?

99.95% uptime. Real-time status page with incident history and maintenance windows.

How often do you patch vulnerabilities?

Critical: within 24 hours. High: within 1 week. Medium: within 30 days. Low: batched with regular releases.

How does the AI handle our data?

AI processes your data for platform features but does not retain it for model training. Your hospital's data never influences models for other customers.

What's your data retention policy?

Data retained while you use Roster. On cancellation: 30 days to download, then deleted. Backups purged after 90 days.

Do you have cyber liability insurance?

Yes. Covers data breaches and business interruption. Proof available on request.

What's your technology stack?

Supabase (AWS-backed US regions), PostgreSQL with Row Level Security, Vercel (edge-deployed, DDoS protected). 24/7 automated monitoring. Full architecture documentation available for IT review.

Vulnerability Disclosure

Found a security issue?

We take every security report seriously. Learn about our responsible disclosure process and how to submit a report.

Report a Vulnerability

Documents

Everything for IT approval.

Most hospital IT reviews complete in 1-2 weeks. We provide everything your team needs upfront.

  • Security Assessment & Compliance Documentation
  • Data Processing Agreement
  • Technical Architecture Overview
  • Incident Response Plan
  • IT Compliance Checklist
Request Security Documentation

Ready for IT review?

Most hospital IT reviews complete in 1-2 weeks. We provide everything your team needs.

Schedule Demo