Security

How ConvynHQ protects your organization's data and your volunteers' data.

Last updated: 2026-06-01

Effective date: June 1, 2026

ConvynHQ runs on infrastructure we've picked specifically for its security track record and operational maturity. We don't roll our own database, payment processing, or email delivery — we use providers whose security teams are larger than our entire company. This page summarizes what that means in practice.

Data protection

All customer and volunteer data is stored in PostgreSQL databases managed by Supabase. Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Database backups run continuously with point-in-time recovery available.

Row-level security policies enforce that one organization can't see another organization's data, even when something goes wrong at the application layer. Defense in depth: we re-check authorization at the API layer, in the page layer, and in the database itself.

Payment processing

Payment card data never touches ConvynHQ's servers. Customer organizations connect their own Stripe accounts via Stripe Connect, and end-users enter payment details directly into Stripe's embedded Checkout. Stripe is PCI Service Provider Level 1 certified — the highest level of payment card security compliance. ConvynHQ does not store, process, or transmit card numbers.

Access control

Customer organization staff log in with email and password, with optional multi-factor authentication. Role-based access control inside each organization (Owner / Admin / Coordinator) limits what staff can do.

Internally, only platform admins have cross-organization access, and platform-admin grants are deliberately gated: there is no "invite" button — adding a platform admin requires explicit database action by an existing platform admin. Platform-admin sign-in activity is visible in our audit logs.

Email and communications

Outbound email is delivered through Resend, an authenticated sender with SPF / DKIM / DMARC properly configured for our domain. We do not include attachments in transactional emails. Email content includes only the information needed for the recipient's action (event reminder, manager link, etc.) and never includes payment card details.

Operational practices

Production code changes flow through code review and version control. We use environment-specific secrets management: production credentials never touch developer machines. Database changes go through migration files with reviewable history. We monitor application errors and infrastructure health, and act on alerts.

Subprocessors

A subprocessor is any third party that processes customer data on our behalf. We publish the complete list and what each one is used for on our subprocessors page. If you have a Data Processing Agreement with us, we'll notify you before adding new subprocessors.

Incident response

We treat security incidents with priority. If we determine customer data has been or is likely to have been accessed by an unauthorized party, we will notify affected customer organizations within 72 hours, with the information available at the time and follow-up communications as facts develop. Customers can reach our security team at security@convynhq.com.

Responsible disclosure

Security researchers who find vulnerabilities can report them to security@convynhq.com. We don't currently operate a paid bug bounty program but we acknowledge contributions and respond to all reports. Please don't disclose publicly until we've had time to fix the issue.

Compliance roadmap

We don't yet hold a SOC 2 Type II report; that's on our roadmap as customer demand warrants. We're happy to fill out vendor security questionnaires and to sign DPAs with sophisticated buyers. Contact security@convynhq.com to get the conversation started.

How to contact us

Security concerns, vulnerability reports, and enterprise security questionnaires: security@convynhq.com.

ConvynHQ LLC
3120 Southwest Fwy Ste 101
Houston, Texas 77098