Trust & Security

Written for your vendor-risk team, not for marketing.

The current, honest state of ImpactMatch's data practices, security posture, and certification roadmap. Last updated July 2026.

Data practices

What we hold. Nonprofit profile data (substantially derived from public IRS Form 990 filings), corporate account and user data (names, business emails, roles), giving-agreement records (amounts, schedules, geographic scope, goal notes), and quarterly outcome reports (metrics, methodology notes, attestations, narratives).

What we don't hold. ImpactMatch does not process payment-card data, consumer personal data, or employee-donor records. Public nonprofit data remains public; a funder's agreement data is visible only to that funder, the recipient nonprofit, and ImpactMatch operations.

Data rights. Customers own their agreement and outcome data. Aggregated benchmarking uses are contractual and severable — a customer can decline benchmark participation without affecting any other platform capability.

Security posture

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is role-restricted and logged. The platform is built and operated with our development partner on a managed, configuration-driven application platform; infrastructure runs on established cloud providers. Administrative access follows least-privilege principles with credential management in an audited password-management system.

Certification roadmap

SOC 2 Type II certification is on our roadmap and is planned to align with the platform's general-availability launch. We have not yet begun the formal audit period, and we won't claim otherwise — if your review requires a completed SOC 2 report today, we'd rather tell you that directly and discuss interim measures (security questionnaires, architecture review sessions, and contractual commitments) than imply a certification we don't yet hold.

Sub-processors

We maintain a list of sub-processors (application platform, cloud infrastructure, scheduling, and analytics providers) available to customers and prospects on request, with notice commitments for any changes written into customer agreements.

Responsible disclosure

Security researchers and reviewers can reach us at hello@impactmatch.com. We commit to acknowledgment within two business days.

For vendor-risk reviewers: we're glad to complete your security questionnaire and walk your team through the architecture directly — during pre-launch, those sessions include the founder and our development partner's technical leadership. Schedule here →