Compliance at Stashlete, Inc.

At Stashlete, Inc., we are dedicated to maintaining the highest levels of security, data protection, and regulatory compliance. As a fundraising platform that deals with sensitive user data and financial transactions, ensuring that our users, nonprofit partners, and other stakeholders trust us is paramount. We partner with industry-leading organizations, such as Vanta, Stripe, and Plaid, to ensure that we adhere to stringent security protocols and comply with industry regulations like SOC 2, PCI DSS, and COPPA. This ensures a robust and comprehensive compliance framework, providing peace of mind to all who engage with our platform.

Our Compliance Framework

At Stashlete, compliance is not just about meeting minimum requirements—it’s about fostering an environment where security, privacy, and transparency are built into the core of our operations. Our compliance framework covers the following key areas:

• SOC 2 Compliance – Managed by Vanta
• PCI DSS Compliance – Ensuring payment security
• COPPA Compliance – Protecting children’s privacy
• Payment Processing Security – Managed by Stripe and Plaid
• Data Privacy and Security – Built into our core systems
• Continuous Monitoring and Improvement

SOC 2 Compliance

Stashlete is committed to protecting user data through compliance with Service Organization Control 2 (SOC 2). SOC 2 is a comprehensive framework for ensuring that an organization’s systems are secure, reliable, and capable of protecting sensitive information. It is based on five key principles: security, availability, processing integrity, confidentiality, and privacy.

We partner with Vanta to ensure that we maintain our SOC 2 compliance through:

• Security: Protecting our systems and data from unauthorized access.
• Availability: Ensuring that our platform is operational and accessible to our users when they need it.
• Processing Integrity: Guaranteeing that all transactions and processes are executed accurately and reliably.
• Confidentiality: Securing sensitive information from unauthorized disclosure.
• Privacy: Handling personal data in accordance with regulatory requirements and best practices, including GDPR and CCPA.

With Vanta’s continuous monitoring tools, Stashlete ensures that we maintain our SOC 2 compliance at all times, with automated audits and security checks to identify potential risks and respond proactively.

PCI DSS Compliance

To handle financial transactions securely, Stashlete adheres to the Payment Card Industry Data Security Standard (PCI DSS). This set of requirements ensures that all organizations that handle credit card payments process, store, and transmit cardholder data in a secure environment. Compliance with PCI DSS is critical to protecting sensitive payment data and minimizing the risk of fraud.

Our PCI DSS compliance includes:

• Data Encryption: All sensitive payment data is encrypted using AES-256 encryption, both in transit and at rest.
• Access Control: Only authorized personnel have access to cardholder data, and strict controls are in place to manage this access.
• Tokenization: Sensitive card details are tokenized, replacing them with a non-sensitive equivalent to reduce exposure.
• Fraud Monitoring: We use fraud detection tools, in partnership with Stripe and Plaid, to monitor transactions for suspicious activities.

Regular audits and assessments help ensure that Stashlete remains compliant with PCI DSS standards and that any new payment features or functionalities adhere to the latest security protocols.

COPPA Compliance

As part of our commitment to protecting all users on our platform, Stashlete complies with the Children’s Online Privacy Protection Act (COPPA). This federal law imposes specific requirements on websites and services directed at children under the age of 13, ensuring that their privacy is protected.

To ensure COPPA compliance, Stashlete has implemented stringent policies, including:

• Parental Consent: Before collecting any personal data from children under 13, we obtain verified parental consent.
• Data Minimization: We limit the data collected from minors to what is necessary for the function of our services.
• Transparency: We provide clear and accessible privacy notices to parents, explaining what information we collect from children, how it is used, and how it is protected.
• Data Deletion: Parents have the right to request that their child’s data be deleted from our systems, and we provide a straightforward process for such requests.

By adhering to COPPA guidelines, Stashlete ensures that any interactions with users under 13 are handled in a safe, responsible, and legally compliant manner.

Stripe and Plaid: Payment Processor Partners

Stripe and Plaid are our trusted partners for processing payments on the Stashlete platform. These industry-leading solutions help us handle financial transactions securely, ensuring compliance with all regulatory and security requirements.

• Stripe: As a PCI DSS Level 1 certified payment processor, Stripe ensures that all transactions—whether credit card payments, ACH transfers, or wire payments—are processed securely. Stripe uses advanced encryption protocols, tokenization, and fraud detection to safeguard every transaction on Stashlete. Stripe is also compliant with SOC 2, ISO 27001, and other critical security certifications, ensuring that all payment data processed through our platform meets global security standards.
• Plaid: Plaid connects Stashlete users’ bank accounts to facilitate secure ACH transfers, allowing for automated payment transfers and donation round-ups. Plaid ensures that all financial data is securely handled, following stringent compliance guidelines for SOC 2, ISO 27001, and GDPR. Plaid’s APIs for Auth, Transactions, and Liabilities allow Stashlete to offer a seamless and secure payment experience, ensuring that donations and payments are processed quickly and accurately.

Data Privacy and Security

At Stashlete, we are deeply committed to protecting the privacy and security of all user data. Our approach to data privacy includes strict policies and cutting-edge technologies to ensure that user data is always protected from unauthorized access or breaches.

Key elements of our data security strategy include:

• End-to-End Encryption: All data, both in transit and at rest, is encrypted using state-of-the-art encryption algorithms (AES-256) to protect it from unauthorized access.
• Multi-Factor Authentication (MFA): We require MFA for all administrative accounts, ensuring that unauthorized individuals cannot gain access to sensitive data or systems.
• Strict Access Controls: Only authorized personnel have access to user data, and all access is logged and monitored to ensure accountability.
• Incident Response: We have established a comprehensive incident response plan to quickly detect, respond to, and mitigate any potential security incidents.

Ongoing Monitoring and Auditing

Compliance is an ongoing process that requires constant vigilance. To maintain the highest levels of compliance, Stashlete employs the following practices:

• Real-Time Monitoring: Our systems are continuously monitored for security threats, unauthorized access attempts, and suspicious activity.
• Automated Auditing: With Vanta’s assistance, we conduct regular internal audits to assess our compliance with SOC 2, PCI DSS, and other regulatory standards. These audits help us identify any areas for improvement and ensure that we stay ahead of emerging threats.
• Employee Training: All employees receive regular training on data protection, privacy regulations, and security best practices. This ensures that everyone at Stashlete understands their role in maintaining a secure and compliant environment.

Transparency and Accountability

At Stashlete, we believe that transparency and accountability are critical to building trust with our users and partners. We regularly review and update our compliance policies and ensure that any changes are communicated clearly to all stakeholders. Our partnership with Vanta ensures that we maintain detailed and up-to-date documentation of our compliance practices, and we welcome any inquiries from nonprofits, partners, or regulators about our security measures.

Conclusion

Compliance is not just a checkbox at Stashlete—it’s the foundation of everything we do. With our trusted partners Vanta, Stripe, and Plaid, we ensure that our platform meets the most stringent security and compliance standards. From SOC 2 and PCI DSS to COPPA compliance, we are committed to protecting the data and privacy of all our users while providing a seamless and secure fundraising experience.

For any questions regarding our compliance practices, please feel free to contact our compliance team at contact@stashlete.com.