Security

Your donors' data is safe with us

Alma is built with security and compliance at its foundation. From encryption to GDPR tools, we protect your charity's data at every level.

UK GDPR

General Data Protection Regulation

DPA 2018

Data Protection Act 2018

HMRC

Charities Online compliant exports

PECR

Privacy and Electronic Communications

Encryption

Your data is encrypted at every stage.

  • All data encrypted in transit with TLS 1.2+
  • Database encrypted at rest with AES-256
  • Passwords hashed with bcrypt (salted)
  • Secure session tokens with HTTP-only cookies

Authentication & access control

Multiple layers of protection for your account.

  • Optional two-factor authentication (TOTP) with Google or Microsoft Authenticator
  • Role-based access control - Admin and Viewer roles
  • PIN-based quick access for kiosk operators
  • Configurable session timeout with auto-logout
  • Team management with secure email invitations

Data isolation

Your charity's data is partitioned from every other organisation.

  • Multi-tenant architecture with strict per-organisation separation
  • Row-level security enforced at the database on every query
  • Each record is scoped to your organisation - no cross-charity access
  • Your data sits behind your own organisation's logins and team accounts
  • Any support access is access-controlled and recorded in the audit log

Payment security

Card payments are handled by Stripe - never by us.

  • All card processing handled by Stripe (PCI DSS Level 1)
  • Full card numbers are never seen or stored by Alma
  • Donations charged over encrypted connections
  • Gift Aid and donation records stored without any card data
  • Refunds and subscriptions managed through Stripe's secure systems

GDPR compliance

Built-in tools to meet your data protection obligations.

  • Right to Erasure - anonymise donor data while preserving financial records
  • Subject Access Requests - export a donor's complete data as structured JSON
  • Configurable data retention periods (minimum 6 years per HMRC requirements)
  • Auto-purge option for donors past the retention period
  • Full audit trail of all GDPR actions taken
  • Compliant with UK GDPR and Data Protection Act 2018

Infrastructure & hosting

Enterprise-grade cloud infrastructure you can rely on.

  • Hosted on Vercel (application) and Supabase (database) - both SOC 2 compliant
  • Database hosted on AWS infrastructure in EU regions
  • Daily automated backups with 7-day retention
  • Point-in-time recovery available
  • 99.9% uptime SLA on Business plan and above

Audit & monitoring

Full visibility into every action taken on the platform.

  • Comprehensive activity log recording every user action
  • Tracks who did what, when, and from where
  • Admin-only access to audit logs
  • GDPR action logging for compliance evidence
  • Export audit logs for your records

AI assistant security

Your data stays protected when using Alma AI.

  • AI queries transmitted to Anthropic's API over encrypted TLS connections
  • No conversation data stored server-side by Alma after sessions end
  • Anthropic's API is SOC 2 compliant - data is not used for model training
  • AI access gated by subscription tier and admin authentication
  • Donor data only sent to AI when actively queried by an administrator

Offline security

Data stays safe even without an internet connection.

  • Offline declarations stored securely in browser IndexedDB
  • Automatic sync when connectivity returns
  • Card payments disabled offline - no sensitive card data stored locally
  • Kiosk lockdown mode prevents access to other browser features

Our data handling promise

We never sell data

Your donor data belongs to your charity. We will never sell, share, or monetise it.

UK & EU hosted

Your data is stored on infrastructure within the UK and EU, compliant with data residency requirements.

You stay in control

Export, anonymise, or delete your data at any time. Your charity is always the data controller.

Third-party compliance

Alma relies on trusted, independently audited infrastructure providers. Here are their compliance resources.

Frequently asked questions

Will you ever sell our donors' data?

No - and it isn't only a promise. Under UK GDPR your charity is the data controller and Trust Alma is only your processor, so we may use your data solely to provide the service, on your instructions. Our Data Processing Agreement contractually forbids selling, sharing, or monetising it, and doing so would expose us to ICO enforcement and a legal claim from your charity. We earn our money from subscriptions, not data - we are not an advertiser or a data broker.

Who owns the data - you or us?

You do. Your charity is always the data controller and owns its donor data outright. Trust Alma only ever processes it on your behalf, and you can export or permanently delete it at any time.

Can other charities using Trust Alma see our data?

No. Trust Alma is multi-tenant, but each organisation's records are strictly separated with row-level security enforced at the database. One charity can never see or reach another's donors, declarations, or reports.

Do you use our data to train AI models?

No. Donor data is only sent to our AI provider (Anthropic) when an administrator actively asks a question, over an encrypted connection, and it is not used to train any models. Conversations are not stored after the session ends.

What happens to our data if we leave?

You can export your full data set at any time, and we will delete it on request - subject only to records we are legally required to keep, such as the Gift Aid declarations HMRC requires for six years. We never retain or repurpose data beyond what the law requires.

Security question or concern?

If you have a security question, need our DPA signed, or want to report a vulnerability, get in touch.

hello@trustalma.com

Ready to maximise your Gift Aid?

Join UK charities already using Alma to capture more Gift Aid declarations and reclaim 25% on every eligible donation.