BBizTechMgt
Trust Built to enterprise standards from day one

Your data is yours. Your privacy is protected. Your platform is audited.

Foundations, boards, and auditors recognize what you're on. SOC 2 Type II in progress, GDPR & CCPA compliant, WCAG 2.1 AA enforced, HIPAA-ready architecture, PCI DSS certified for donations. Every layer documented, every claim verifiable.

99.9%Uptime SLA
AES-256Encryption at rest
5 minBackup interval
15 minIncident response
Certifications & posture

What auditors and foundations expect to see.

Six certifications, every one documented. Click through for evidence packs, audit letters, and compliance reports.

In Progress
SOC 2 Type II
Target: Month 18 of platform build

Continuous evidence collection started day one. Trust services criteria covered: Security, Availability, Confidentiality, Processing Integrity, Privacy. Audit firm engaged.

Request evidence pack →
Live
GDPR Compliant
EU General Data Protection Regulation

Lawful basis documented per processing activity. Data subject rights: access, rectification, erasure, portability, restriction, objection. EU representative appointed.

View our DPA →
Live
CCPA Ready
California Consumer Privacy Act

"Do Not Sell or Share My Personal Information" link enforced platform-wide. Consumer rights honored within 45 days. Verifiable consumer requests handled via privacy portal.

Read privacy policy →
Enforced
WCAG 2.1 AA
Web Content Accessibility Guidelines

Enforced at the editor level — color contrast, alt text, keyboard navigation, screen reader compatibility, focus indicators. axe-core CI checks on every deploy.

Request accessibility report →
Live
HIPAA-Ready
Health Insurance Portability & Accountability Act

Architecture supports BAA execution for healthcare-adjacent organizations. Field-level PHI encryption, audit logging, access controls, automatic session timeout available.

Request BAA →
Live
PCI DSS
Payment Card Industry Data Security Standard

SAQ-A scope via Stripe Elements. We never see, store, or transmit raw card data. Tokenization handled by Stripe. Quarterly ASV scans by third-party.

View attestation →
Data ownership

Your data is yours.
Not ours, not anybody's.

Five non-negotiable commitments, written into our DPA, enforceable in Michigan court.

Never sold

We don't sell your donor list, your member directory, your customer data — to anyone, ever.

Never shared

Not with marketing partners, not with affiliates, not with our other customers. Walled.

Never trained on

We don't train AI models on your data. Your private content stays private — period.

Always exportable

One-click export to CSV, JSON, or SQL dump. Your entire dataset, on demand, no questions asked.

Deleted on request

Within 30 days of cancellation. Permanently. Hot storage immediately, cold storage purged at day 30.

The Pledge

"Twenty-five years in business taught us one thing about data: the moment a vendor sells your customers' information, the relationship is over."

"We don't sell data. We don't share data. We don't train AI on data. We host it in the United States, encrypt it with AES-256, and give you a one-click export anytime you want."

"That's the deal. Always was. Always will be."

— EJ Joier, Partner · Madison Heights, MI
Security architecture

Eight layers of defense.

From perimeter to database, each layer documented, hardened, and continuously monitored.

Layer
Domain
What we do
Stack
L1
Edge & DDoS
Cloudflare WAF, rate limiting, bot management, geo-blocking, DDoS mitigation up to 100 Gbps.
Cloudflare
L2
Network
Private VPC isolation, east-west firewall rules, no public ingress to internal services.
Hostinger / AWS
L3
Application
Input sanitization, parameterized queries, CSP headers, CSRF protection, secure session management.
Next.js 15 + TS
L4
Authentication
Passwordless options, TOTP MFA, SAML SSO (Enterprise), session rotation, brute-force lockout.
Auth.js
L5
Authorization
Role-based access control, tenant isolation enforced at the database layer, audit logging on every write.
RBAC + RLS
L6
Data at rest
AES-256 encryption on all databases. Field-level encryption on PII (donor data, member records, PHI).
PostgreSQL + pgcrypto
L7
Data in transit
TLS 1.3 enforced everywhere. HSTS preload. Certificate transparency monitoring.
Let's Encrypt
L8
Backup & recovery
Encrypted backups every 5 minutes, point-in-time restore up to 30 days, geo-redundant storage.
PostgreSQL WAL
Sub-processors

Every vendor that touches your data.

Total transparency. We update this list within 30 days of any change.

Provider
Purpose
Data Region
Certifications
Hostinger VPS
Application hosting & infrastructure
US-East
SOC 2 / ISO 27001
Cloudflare
Edge, WAF, DDoS protection, CDN
Global
SOC 2 / ISO 27001
Stripe
Payment processing, donations, subscriptions
US
PCI DSS Level 1
Resend
Transactional email delivery
US
SOC 2
Sentry
Error monitoring (no PII captured)
US
SOC 2 / ISO 27001
PostHog (self-hosted)
Product analytics — first-party only
US
Self-hosted
Incident response

If something goes wrong, we tell you.

SLAs measured in minutes, not days. Plans rehearsed quarterly.

Detection & response

We detect issues before you do.

Real-time monitoring on every service. PagerDuty alerts on-call engineers within 60 seconds of an anomaly. Status page updates within 15 minutes of a confirmed incident.

  • Critical (P0) acknowledgment≤ 15 min
  • High (P1) acknowledgment≤ 30 min
  • Status page update≤ 15 min
  • Customer notification (P0)≤ 60 min
Breach notification

If your data is breached, you'll know within 72 hours.

GDPR mandates 72-hour breach notification. We honor that for every customer, regardless of jurisdiction. You get a detailed incident report with: scope, timeline, affected data, remediation, prevention.

  • Initial notification≤ 72 hrs
  • Detailed incident report≤ 7 days
  • Post-mortem (public)≤ 14 days
  • Remediation evidence≤ 30 days
Trust questions worth answering

The trust honest FAQ.

Where is my data physically stored?
All customer data is stored in US-East datacenters operated by our hosting partner Hostinger, with geo-redundant backup to a secondary US region. We do not store customer data outside the United States. EU customers can request EU-region hosting under our Enterprise tier.
What happens to my data if BizTechMgt goes out of business?
Three protections: (1) One-click export available 24/7 — you can download your full dataset anytime, no notice required. (2) Source escrow on Enterprise — Enterprise customers can opt into a third-party source escrow arrangement. (3) Data deletion guarantee in writing — our DPA commits to 30-day data return + deletion in the event of business cessation.
Do you have a Business Associate Agreement (BAA) for HIPAA?
Yes — available for healthcare-adjacent organizations on Premium and Enterprise tiers. Our architecture is HIPAA-ready (audit logging, encryption, access controls), and we execute BAAs after a brief intake call to confirm your covered entity status.
Can I get a SOC 2 evidence pack before you're certified?
Yes. Even though our SOC 2 Type II audit is in progress (target: month 18 of platform build), we've been collecting evidence continuously since day one. We share an interim trust pack on request — controls inventory, policies, vendor list, incident history, security architecture diagrams.
Do you train AI on my content or my donors' data?
No. Never have, never will. Your content is your content. Your donor records are your donor records. We don't use customer data for any model training — ours or anyone else's. This is in writing in our DPA, and it's legally enforceable.
What's your uptime track record?
99.92% over the last 12 months (target: 99.9%, Enterprise SLA: 99.95%). Our public status page shows real-time uptime, incident history, and post-mortems. You can subscribe to incident notifications via email, RSS, or webhook.

Trust isn't claimed.
It's documented.

Need our trust pack for a board review? A foundation due diligence? An auditor's evidence request? Tell us what you need — we'll send it.

Request trust pack Read our DPA