Security

Information Security Policy

Last updated: July 2026 Owner: Woodley Labs LLC ("Civiq," "we," "us") Contact: shabbawoodley@gmail.com

Civiq — operated by Woodley Labs LLC — provides a relationship and operations platform for civic organizations and nonprofits. Because we handle organizational data — including contacts, communications, and (where an organization chooses to connect it) financial transaction data — we maintain and operate the security practices described in this policy to identify, mitigate, and monitor information security risks relevant to our business.

1 Scope

This policy covers all data Civiq stores or processes on behalf of its customer organizations, the systems that store and process that data, and the people who operate them. It applies to all Woodley Labs personnel and to any third-party services Civiq relies on.

2 Data we handle and how we classify it

Financial and account data are classified as sensitive and receive the strongest controls.

3 Access control and tenant isolation

4 Encryption

5 Financial data (Plaid) — specific controls

6 Auditability and monitoring

7 Data retention and deletion

8 Incident response

9 Third-party providers

We rely on reputable providers that maintain their own security programs, including our cloud database/hosting provider (Supabase), and Plaid for financial data connectivity. We limit the data shared with each provider to what is necessary to deliver the service.

10 Personnel and change management

11 Review

This policy is reviewed periodically and updated as our platform and risk profile evolve.

Questions about this policy?

Reach us at shabbawoodley@gmail.com.