Security
FundMesa holds sensitive information for the nonprofits that use it — grant budgets, personnel salaries, funder relationships. This page describes exactly how we protect it, in plain language, and is honest about what we don't yet claim.
Keeping organizations separate
FundMesa runs every customer organization in a shared system, and the core promise is that one organization can never read or write another's data. That promise is enforced by several independent layers, each a backstop for the one before it:
- Every database read and write is scoped to the signed-in organization at the application layer.
- Postgres row-level security is enabled and forced on every table that holds customer data, as an independent backstop — a drift guard in our test suite fails the build if a new customer-data table ships without it.
- A boot-time check refuses to start the app if its database role is able to bypass row-level security.
- File storage is authorized by an org-scoped key-prefix guard on every read, write, and delete.
- A continuous automated test probes for cross-tenant access on every change.
Encryption
All traffic to FundMesa is encrypted in transit over HTTPS. Data at rest is encrypted by our database and object-storage providers. On top of that, credentials for third-party accounting integrations are encrypted by the application with AES-256-GCM before they're stored, and calendar-feed tokens are stored only as one-way hashes — a database leak would expose neither in usable form.
Access and authentication
Accounts sign in with email and password, and email verification is required. Two-factor authentication is available using any authenticator app, with single-use backup codes, and repeated failed attempts trigger an automatic lockout. Inside an organization, role-based permissions (owner, coordinator, program staff, and viewer) control who can see and change what, and rate limits protect authentication and other sensitive endpoints from abuse.
Backups and recovery
Customer data lives in managed Postgres with point-in-time recovery. We have run a full restore drill end to end — restoring to a separate database and verifying the data came back intact — so recovery is a tested procedure, not an untested assumption.
Audit logging and monitoring
Administrative actions are recorded to an append-only audit log: there is a single code path that writes to it and no code path anywhere that updates or deletes its entries. Customer-facing records carry their own activity timeline of changes. Application errors are captured by our monitoring provider with personally identifying fields, request bodies, and auth headers scrubbed in the browser before anything is sent.
We also run a Content-Security-Policy in report-only monitoring mode, which reports potential content-injection issues to us for review. (It observes and reports; we have not yet moved it to a blocking configuration.)
Sub-processors
Operating FundMesa means routing your data through a small set of service providers, all based in the United States. We publish the complete list — with each provider's role and data region — and update it before any material change:
- Vercel — Application hosting
- Neon — Managed Postgres database
- Cloudflare R2 — File storage for your attachments
- Resend — Transactional and reminder email
- Anthropic — Optional AI document extraction — never used to train models
- Sentry — Error monitoring (PII scrubbed before events are sent)
- GitHub Actions — Scheduled jobs — invokes signed endpoints, no direct data access
The full, current list lives at app.fundmesa.com/sub-processors.
Compliance
SOC 2 Type II: on our roadmap. We are building toward it and will update this page when there is something concrete to report. We don't currently hold SOC 2, HIPAA, or other formal certifications, and we won't claim controls we haven't earned — what's on this page is what's actually in place today.
Reporting a vulnerability
If you believe you've found a security vulnerability, please email security@fundmesa.com with the details and how to reproduce it. We'll acknowledge your report, keep you updated as we investigate, and ask that you give us a reasonable chance to fix the issue before disclosing it publicly. We're grateful to the researchers who help keep FundMesa safe.
Our machine-readable policy is published at /.well-known/security.txt.
Last reviewed: July 4, 2026.