Skip to content
+
Section 10

Security & Compliance

Data protection, compliance, and our security-first approach.

VOLY handles sensitive data—personal information, background check results, and organizational data for nonprofits and volunteers. We take data security seriously and will build security into the platform architecture from the ground up, not as an afterthought.

Security Measures

  • Data Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.2+). Database encryption using cloud-native key management services.
  • Authentication & Authorization: Multi-factor authentication support, OAuth 2.0 / OIDC integration, role-based access control (RBAC) with granular permissions per user type.
  • Application Security: OWASP Top 10 protections, input validation, SQL injection prevention, XSS protection, CSRF tokens, rate limiting, and API authentication.
  • Infrastructure Security: Network isolation (VPC), security groups, WAF protection, DDoS mitigation, regular vulnerability scanning, and penetration testing.
  • PII Handling: Data minimization practices, consent-based data collection, data retention policies, right-to-delete capabilities, and audit logging for all PII access.
  • Background Check Data: Special handling protocols for FCRA-regulated data, including access restrictions, secure transmission with provider APIs, and compliant storage and retention.
  • Monitoring & Incident Response: Real-time security monitoring, automated alerting, documented incident response procedures, and regular security reviews.

Compliance

We will design and build the platform in alignment with SOC 2 Type II controls and will support VolunteerNow through any audit or compliance processes. Our development practices include secure code review, dependency scanning, and regular security assessment.

We are also prepared to accommodate any additional compliance requirements specific to VolunteerNow's contracts with municipal governments, corporate partners, or funding organizations.

Security by Design

Security is not a phase or a checklist—it is an architectural principle embedded in every layer of the VOLY Next Gen platform, from data models to API endpoints to infrastructure configuration.

FCRA Compliance

Background check data receives special handling protocols including access restrictions, secure transmission with provider APIs, and compliant storage and retention in full alignment with FCRA regulations.

SOC 2 Alignment

The platform will be designed in alignment with SOC 2 Type II controls, with comprehensive audit logging and compliance documentation to support VolunteerNow through any audit process.

SOC 2 Type II & HIPAA-Aligned Architecture

VOLY Next Gen will be architected to support SOC 2 Type II compliance and will align with HIPAA security controls for maximum flexibility with VolunteerNow's partner organizations:

SOC 2 Type II and HIPAA-aligned security architecture
Control AreaCommitmentImplementation
Data ResidencyUS-only storage (no cross-border transfers)AWS us-east-1 or Azure US regions; DPA with cloud provider; encryption key management in US
Encryption at RestAES-256 with key rotationAWS KMS or Azure Key Vault; automatic key rotation every 90 days
Encryption in TransitTLS 1.2+ for all data flowsHTTPS/TLS for APIs, SQS with encryption, encrypted database connections
Access ControlsRole-based access with audit trailMFA, least-privilege IAM, 6-month credential rotation, all access logged with user/timestamp
Network IsolationVPC with security groups and WAFApplication servers isolated from public internet; WAF protecting API endpoints
Incident ResponseDocumented 24-hour breach notificationIR playbook, automated alerting, forensic capability, customer notification process
Business Continuity4-hour RTO, 1-hour RPOMulti-AZ deployment, automated failover, cross-region backups, tested quarterly

Disaster Recovery & Business Continuity

We commit to aggressive Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets to ensure VolunteerNow can continue operations even during infrastructure failures:

Recovery Commitments

RTO (Recovery Time Objective): 4 hours — Maximum time to restore full service from infrastructure failure. Achieved through multi-AZ deployment with automatic failover.

RPO (Recovery Point Objective): 1 hour — Maximum data loss acceptable. Achieved through continuous replication to standby regions and cross-region backups.

Backup Strategy: Daily snapshots with 90-day retention; continuous transaction logs; tested restore procedures quarterly.

Rollback Procedures: Database schema versioning; feature flag rollback for application issues; zero-downtime blue/green deployments for updates.

+