Security & Compliance
VolunteerReady handles sensitive information — background checks, personal records, organizational data. Here's exactly how we protect it.
Security isn't a feature we added — it's how the platform was designed from day one.
Encryption at rest and in transit
All data is encrypted in transit with TLS 1.3 and at rest using AES-256. Background check tokens from Checkr are additionally encrypted with application-level encryption before storage.
FCRA-compliant background checks
Our Checkr integration includes the full adverse action workflow required by the Fair Credit Reporting Act — pre-adverse notice, waiting period, and final adverse action. Organizations stay compliant without legal expertise.
Multi-tenant data isolation
Every database query is scoped to the requesting organization. Volunteers see only their own data. Organizations cannot access each other's applicant pools, screening results, or credentials.
Role-based access control
Team members get the minimum permissions they need. Admins, coordinators, and viewers see different things. Every role change and permission grant is logged.
Audit logging
Every significant action — application approvals, credential issuance, background check requests, team changes — is logged with timestamps, attribution, and before/after state.
Data portability
Organizations can export their data anytime via CSV. Volunteers own their portable credentials. We don't hold your data hostage — if you leave, your data leaves with you.
FCRA (Fair Credit Reporting Act)
Full adverse action workflow for background checks: pre-adverse notice, mandatory waiting period, and final adverse action notice. Built into the screening flow — not an afterthought.
Soft delete and data retention
Records are soft-deleted, not permanently removed, ensuring audit trail integrity. Data retention policies align with legal requirements for employment and volunteer screening records.
Credential verification chain
Every portable credential tracks which organization issued it, when, and the evidence behind it. Credentials can be revoked with a full audit trail of the revocation.
Secure authentication
Authentication powered by NextAuth with Prisma adapter. Session management follows OWASP best practices. No password storage — OAuth providers handle credential security.
We know that nonprofits trust us with sensitive volunteer data, and volunteers trust us with their personal information. That trust is the foundation of everything we build. If you have questions about our security practices or need documentation for your compliance review, reach out — we're happy to help.
Create a free account backed by enterprise-grade security. No credit card required.