Security

Your donors' data is safe with us

Alma is built with security and compliance at its foundation. From encryption to GDPR tools, we protect your charity's data at every level.

UK GDPR

General Data Protection Regulation

DPA 2018

Data Protection Act 2018

HMRC

Charities Online compliant exports

PECR

Privacy and Electronic Communications

Encryption

Your data is encrypted at every stage.

  • All data encrypted in transit with TLS 1.2+
  • Database encrypted at rest with AES-256
  • Passwords hashed with bcrypt (salted)
  • Secure session tokens with HTTP-only cookies

Authentication & access control

Multiple layers of protection for your account.

  • Optional two-factor authentication (TOTP) with Google or Microsoft Authenticator
  • Role-based access control — Admin and Viewer roles
  • PIN-based quick access for kiosk operators
  • Configurable session timeout with auto-logout
  • Team management with secure email invitations

GDPR compliance

Built-in tools to meet your data protection obligations.

  • Right to Erasure — anonymise donor data while preserving financial records
  • Subject Access Requests — export a donor's complete data as structured JSON
  • Configurable data retention periods (minimum 6 years per HMRC requirements)
  • Auto-purge option for donors past the retention period
  • Full audit trail of all GDPR actions taken
  • Compliant with UK GDPR and Data Protection Act 2018

Infrastructure & hosting

Enterprise-grade cloud infrastructure you can rely on.

  • Hosted on Vercel (application) and Supabase (database) — both SOC 2 compliant
  • Database hosted on AWS infrastructure in EU regions
  • Daily automated backups with 7-day retention
  • Point-in-time recovery available
  • 99.9% uptime SLA on Pro plan

Audit & monitoring

Full visibility into every action taken on the platform.

  • Comprehensive activity log recording every user action
  • Tracks who did what, when, and from where
  • Admin-only access to audit logs
  • GDPR action logging for compliance evidence
  • Export audit logs for your records

Offline security

Data stays safe even without an internet connection.

  • Offline declarations stored securely in browser IndexedDB
  • Automatic sync when connectivity returns
  • Card payments disabled offline — no sensitive card data stored locally
  • Kiosk lockdown mode prevents access to other browser features

Our data handling promise

We never sell data

Your donor data belongs to your charity. We will never sell, share, or monetise it.

UK & EU hosted

Your data is stored on infrastructure within the UK and EU, compliant with data residency requirements.

You stay in control

Export, anonymise, or delete your data at any time. Your charity is always the data controller.

Security question or concern?

If you have a security question, need our DPA signed, or want to report a vulnerability, get in touch.

security@trustalma.com

Ready to maximise your Gift Aid?

Join UK charities already using Alma to capture more Gift Aid declarations and reclaim 25% on every eligible donation.

Get Started FreeTalk to Us