Enterprise security. Zero cost.
Your supporters trust you with their personal and payment information. We take that seriously — every protection below ships on the free Community plan, for every organization.
Your supporters trust you with their personal and payment information. We take that seriously — every protection below ships on the free Community plan, for every organization.
TOTP-based MFA with recovery codes. Protect admin accounts with a second factor that works with any authenticator app.
Sign in with Google, Facebook, LinkedIn, or Apple. Reduce password fatigue while maintaining security standards.
Donors sign in with a one-time code sent to their email or phone — no passwords to reuse, leak, or reset. Short-lived codes, rate-limited verification, and no credential database to breach.
Four system roles (platform admin, org admin, staff, donor) plus custom roles. Database-driven permissions with 60-second cache. Multiple roles per user.
Payment provider credentials and sensitive configuration are encrypted at rest using Fernet symmetric encryption. Keys are never stored alongside data.
Every donation, every profile change, every role assignment, every login — logged with timestamp, user, and before/after values. Entries are hash-chained, so any tampering breaks the chain, and chain integrity is automatically verified every 6 hours. Exportable for compliance and your auditor.
Every database query is scoped by organization ID. There is no API call that can access another organization's data — by design, not by convention.
All AI features run within the platform's tenant isolation boundary. Organization data is never shared across tenants, used for training external models, or accessible to other organizations. The AI intelligence layer operates on your data alone — with the same encryption, audit trail, and access controls as every other feature.
For enterprise multi-brand setups, each brand is architecturally isolated — separate registration, separate JWT scope, separate email identity. A donor on one brand cannot be discovered, contacted, or imported from another. More →
When a donor is deleted, their personally-identifying fields are stripped from every read path — donations they made stay in your ledger for compliance, but their name, email, and phone disappear from API responses. Right-to-erasure honored at the data-model layer, not just the UI.
Export-on-request, deletion-on-request, consent tracking, lawful-basis records. Built for European regulators by default, not as an afterthought toggle.
No card data ever touches Alora's servers. Checkout runs in a locked, hardened payment iframe — card numbers go directly from your donor's browser to the payment processor, and the browser architecturally cannot fake a donation. Your platform inherits the processor's PCI compliance — not the other way around.
