Trellis.org – Technology, Privacy, and Security Overview

Company Overview

Trellis.org is a SaaS platform designed to help nonprofit organizations, including those in healthcare, education, and social services, run fundraising events more effectively. Our platform provides tools for event management, online bidding, ticketing, and donor engagement.

Technology Stack & Hosting

Trellis is a cloud-based application hosted on Amazon Web Services (AWS), leveraging AWS’s security and compliance frameworks.

  • Data is stored securely in AWS-managed databases, benefiting from built-in encryption and redundancy.
  • Trellis employs Secure Sockets Layer (SSL) to ensure encrypted communication between browsers and our web servers.

Data Privacy & Security

  • Trellis does not collect, process, or store any protected health information (PHI) or health insurance-related data.
  • We primarily store non-sensitive donor and event-related data, including contact details, transaction information, and auction-related details.
  • All sensitive data, such as payment information, is handled by our PCI-DSS-compliant payment processors (e.g., Stripe), ensuring that Trellis does not store credit card details.
  • We follow industry-standard security practices, including data encryption (in transit and at rest), regular security audits, and role-based access controls (RBAC).

Compliance & Security Standards

  • As we do not handle PHI, HIPAA compliance is not applicable to our platform.
  • Trellis meets security best practices outlined in SOC 2 and ISO 27001, though we are not formally certified.
  • Data is encrypted using AES encryption for data at rest and TLS 1.2+ for data in transit.
  • We conduct regular security audits and vulnerability assessments, including penetration testing.
  • Our hosting provider maintains a 24/7 security operations center (SOC) and disaster recovery protocols, ensuring high availability and business continuity.
  • The system operates within a secure network where access is strictly controlled, all communication goes through protected pathways, and security measures are in place to prevent unauthorized access.

Authentication & Access Control

  • Role-based access control (RBAC) ensures users only have access to necessary data.
  • Multi-Factor Authentication (MFA) is implemented for administrative access via Google SSO.
  • Customer data is logically segregated to prevent unauthorized access.

Incident Response & Data Retention

  • Trellis has an Incident Response Plan (IRP).
  • Customer data is retained for use in future fundraisers; however, it can be deleted upon request.
  • Disaster recovery and backups are in place, with the ability to restore services within 24 hours in the event of a failure.
  • Automatic encryption is applied to all traffic on AWS networks.