/ 04
Trust
& legal.
The boring documents we’d want to read if we were on your side of the table. Plus a short summary of the four things that come up most often in procurement.
/ the short version
Four answers
to four questions.
i
Auth model
Passkey-first sign-in with WebAuthn. Google and Microsoft SSO with minimal OIDC scopes. Email magic-links as a fallback. No passwords stored, no password-reset surface to defend.
ii
Data isolation
Multi-tenant Postgres with row-level security enforced at the database. Every tenant-scoped query passes through a guarded context that sets the RLS scope for the connection.
iii
Export commitment
Every customer can export their tenant’s data at any time. Open standards, owned data, exportable everything - the commitment that keeps the software honest while you stay.
iv
Accessibility
Built against WCAG 2.2 AA. axe-core in CI, NVDA + VoiceOver sweeps before every release. Semantic HTML, landmark regions, visible focus rings, keyboard parity for every interaction.
/ the documents
Everything
we put in writing.
Privacy policy
What we collect, why, and what we won’t.
Terms of use
The contract between Foundation Collab and your foundation.
Security
Encryption, access control, incident response.
Data processing addendum
For GDPR-touched orgs: the DPA we sign as a sub-processor.
Sub-processors
Every third party that touches your data, and what they touch.
Accessibility
WCAG conformance statement + assistive-tech notes.
Cookies
What we set, why, and how to manage them.
/ responsible disclosure
Found something?
Tell us first.
Coordinated disclosure is documented in our security.txt. If you’ve found something, please email [email protected]. We acknowledge within one business day and credit responsible disclosure on the security page.
made with carebuilt for real usedesigned to last.