Enterprise-Grade Security for Sensitive Humanitarian Data
KafalaBridge is built with institution-grade security from the ground up — protecting children, sponsors, and organizations at every layer.
Data Isolation
Database-level separation — not just application-level
Each institution's data is completely separated using Supabase Row Level Security (RLS). No organization can ever read, write, or access another institution's records — enforced at the database layer.
RLS policies are evaluated for every single query — even if application code has a bug, the database enforces the boundary.
Role-Based Access Control
Five distinct permission levels — no over-provisioning
Five permission tiers: super_admin, org_admin, staff, sponsor, and guardian. Every user sees exactly the data their role requires — nothing more.
Role assignments are audited. Promotions and demotions require org_admin approval and are logged with timestamp.
Encrypted Data & Storage
AES-256 at rest. TLS 1.3 in transit. Always.
All data is encrypted at rest using AES-256-GCM and in transit using TLS 1.3. Documents and files are stored in private, access-controlled storage buckets — never publicly accessible.
Encryption keys are managed independently from data — a compromised database cannot be decrypted without the key.
Payment Security
Stripe PCI DSS Level 1 — zero card data stored
Payments are processed exclusively through Stripe — PCI DSS Level 1 compliant. KafalaBridge never receives, stores, or logs cardholder data of any kind.
Failed payments trigger automatic retry logic with sponsor notifications — no manual intervention required.
Card data never touches KafalaBridge servers
Child Data Protection
Safeguarding built into the architecture — not bolted on
Sensitive child information is protected by strict field-level access policies. Photos and documents are accessible only to authorized org members and the explicitly assigned sponsor.
Designed for compliance with international child safeguarding standards. Suitable for UNICEF, Save the Children, and similar framework requirements.
Audit Logs
Every action. Every actor. Every timestamp.
Every meaningful action in the platform — profile updates, document downloads, login events, role changes, payment completions — is logged with actor identity, timestamp, IP address, and device fingerprint.
Audit logs are append-only and cannot be deleted by any role — including super_admin.
Backup & Recovery
99.9% uptime SLA with daily automated backups
Automated daily, weekly, and monthly backups with point-in-time recovery up to 30 days. Disaster recovery protocols tested quarterly.
Recovery time objective (RTO) under 4 hours. Recovery point objective (RPO) under 24 hours for all plans.
GDPR & Compliance
Privacy-by-default. Data residency options available.
Designed with GDPR principles at the core. Right to access, right to deletion, data minimization, and privacy by default are supported natively.
KafalaBridge maintains a Record of Processing Activities (ROPA). Suitable for EU and international organizations.
Exactly the right access. Nothing more.
Every role in KafalaBridge has a precisely defined permission scope — enforced at both the API and database levels simultaneously.
| Permission | super_admin | org_admin | staff | sponsor | guardian |
|---|---|---|---|---|---|
| Profiles | |||||
| View orphan profiles | |||||
| Create / edit profiles | |||||
| View child full name & photo | |||||
| View assigned child (sponsor) | |||||
| Sponsorships | |||||
| Assign sponsors | |||||
| View own sponsorship | |||||
| Manage subscriptions | |||||
| Communications | |||||
| Send messages | |||||
| Moderate messages | |||||
| View all conversations | |||||
| Reports & Admin | |||||
| Export PDF/Excel reports | |||||
| Manage team members | |||||
| Access audit logs | |||||
| Billing & subscription | |||||
Built to meet the standards your institution requires
KafalaBridge's infrastructure is aligned with international data protection, payment security, and operational standards.
EU General Data Protection Regulation
CompliantLevel 1 via Stripe
CertifiedTransport layer encryption
EnforcedData at rest encryption
ActiveSecurity & availability (roadmap)
In ProgressRow Level Security enforced
ActiveSOC 2 Type II certification is on our 2025 roadmap. Detailed security documentation available upon request for enterprise procurement teams.
Have security or compliance questions? Talk to our team.
Our team can provide detailed security documentation, architecture diagrams, and compliance evidence packages for enterprise procurement processes.
Full architecture diagrams, threat models, and data flow documentation for your IT and legal teams.
GDPR Data Processing Agreement (DPA), PCI compliance documentation, and audit log samples.
30-minute call with our CTO or security lead — walk through our architecture and ask any question.
We respond to security questionnaires, RFPs, and vendor assessment forms for enterprise clients.