← CivicHub360.ai

Security & Trust

Written for the IT director who has to say yes. Plain language, no security theater. If your agency needs something you do not see here, ask — bespoke configurations (dedicated deployments, custom controls, additional attestations) are available as paid engagements.

Our posture, honestly

CivicHub360 serves counties, cities, nonprofits, and the businesses that stand with them. We treat your community's data as something lent to us, not given: least-privilege access enforced in the database, accountability logging modeled after the same standards we ask of our users, and a paper trail your auditors can read.

Row-level security on every tableLive

Every record is access-checked in the database itself, per organization, per user.

Encryption in transit & at restLive

TLS 1.2+ everywhere; AES-256 at rest.

Multi-factor authenticationLive

TOTP MFA per user; organizations can require it for all members from the IT Security portal.

Per-tenant IP allow-listingLive

Your IT department restricts sign-in and requests to approved networks — enforced at our edge as defense-in-depth.

Confidential projectsLive

Invite-only projects hidden from every list for non-members. MFA required. Every access logged in an append-only audit trail. Platform staff have no silent access — emergency access requires a written, logged justification.

US data residencyLive

All data hosted in the United States (AWS us-east-1).

Data ownership & exportLive

Your data is yours: export anytime, no lock-in.

SOC 2 Type IIIn progress

Controls mapped to NIST CSF 2.0 today; formal audit underway. Subprocessor SOC 2 reports (Supabase, Vercel) available on request.

SSO (SAML)On request

Per-organization single sign-on for enterprise and government tenants.

GovRAMPRoadmap

On the GovRAMP path; engagement begins with our first state-level requirement.

What we ask of your IT team

Grant the IT Admin role to your security staff (their own portal manages IP allow-lists and MFA policy), verify your organization's domain during onboarding, and tell us your requirements — data-sharing agreements, additional-insured endorsements, and security questionnaires are part of normal business for us.

Scope notes

CivicHub360 is not designed for Criminal Justice Information (CJIS) and we scope it out of our Terms. Incident response follows our NIST 800-61-aligned plan with breach notification per California Civil Code §1798.29/.82. Questions, questionnaires, or document requests: security@civichub360.ai.