Trust

Security Overview

Effective June 20, 2026 · CollectorBench LLC · Hialeah, Florida

This page summarizes the technical and organizational measures CollectorBench LLC uses to protect customer data. We keep this page short and honest. If your compliance officer needs more detail, email security@collectorbench.com.

1. Data we hold

The Service is intentionally narrow in scope. We collect only:

Donor name
Employer name
Reason for test
Donor signature
Timestamp of check-in

We do not collect or store Social Security numbers, dates of birth, medical results, lab data, or protected health information (PHI). This dramatically reduces the impact of any potential incident.

2. Encryption

In transit: TLS 1.2 or higher on all connections. HSTS enabled. HTTP redirects to HTTPS.
At rest: All databases (Cloudflare D1, Supabase PostgreSQL) encrypt data at rest using AES-256.
Backups: Encrypted and stored in the same region as primary data.

3. Access control

Customer staff log in with a 4-digit PIN tied to a named staff account.
All staff actions (search, print, export, delete) are recorded in an audit log with timestamp, user, and IP.
Administrative access to production systems is restricted to the developer-owner and protected by 2FA on all upstream providers (Cloudflare, Supabase, Stripe, GitHub).
No production credentials are stored in code; secrets are managed via Cloudflare Workers Secrets.

4. Infrastructure

Hosting: Cloudflare Workers (global edge, US-resident data plane)
Database: Cloudflare D1 and Supabase PostgreSQL, US region
Payments: Stripe (PCI-DSS Level 1)
Email: Resend (transactional, US)
Source control: GitHub private repositories

5. Audit logging

Every staff action is logged: who did it, when, from what IP, and what changed. Logs are retained for 12 months and available to customers on request for their own data.

6. Backups and recovery

Databases are backed up daily. We can restore to any point within the last 7 days. Recovery objective: under 4 hours for full restore.

7. Vulnerability management

Dependencies are scanned for known vulnerabilities on every deploy.
The codebase is private and version-controlled in GitHub.
Code is reviewed before deploy. No direct production database writes outside of the application.

8. Incident response

If we discover a security incident affecting customer data, we will notify affected customers by email within 72 hours of confirmation. The notice will include what happened, what data was affected, what we are doing about it, and what you should do.

9. What we do not do (yet)

We are upfront about our maturity:

We are not SOC 2 audited. We plan to begin SOC 2 Type I in our second year.
We are not HIPAA-regulated because we do not store PHI. We do not sign Business Associate Agreements.
We do not yet undergo annual third-party penetration testing.

If your organization requires SOC 2 or HIPAA compliance before purchase, please contact us — we will be transparent about timing.

10. Contact

CollectorBench LLC · security@collectorbench.com