Banking & Data Security
How Chariot protects your data and funds — and how to manage team access.
Chariot is built to handle sensitive donor data and real money. This article covers how your data and funds are protected, how to manage team access, and where to find Chariot's compliance documentation.
Banking Security
FDIC Insurance
Your Chariot Deposit Account is a demand deposit account provided by Column N.A., Member FDIC. Deposits are eligible for FDIC insurance up to $250,000 per depositor.
Account Ownership
Funds are yours immediately: Once a deposit settles in Chariot, those funds are legally your organization's assets. You do not need to wait for a transfer to your operating account to record revenue or post journal entries.
Fund Transfers
Only bank accounts that your verified account owner (a Nonprofit Control Person — an authorized officer of your organization) has explicitly linked as External Financial Accounts can receive transfers from Chariot. Chariot cannot redirect funds elsewhere.
Disbursement Control
Transfer timing is in your hands: You choose your transfer cadence — daily, weekly, or monthly — and transfers appear as a single lump-sum internal transfer on your primary bank statement.
Data & Platform Security
Principle of Least Privilege: Chariot's systems — and your team's access within Chariot — are restricted by default. Access is granted only on an as-needed basis, and only for the specific task at hand.
Multi-Factor Authentication (MFA) required: All users accessing the Chariot dashboard must have MFA enabled. Chariot's own staff must also use MFA for all internal tools and systems.
End-to-end encryption: All data in transit is protected using TLS (Transport Layer Security). Sensitive information (such as login credentials passed through DAFpay) is encrypted in both directions and not stored by Chariot.
Data at rest: Stored data is protected using AES-256 encryption, an industry-standard symmetric encryption algorithm.
AWS cloud infrastructure: Chariot is hosted on Amazon Web Services (AWS) in the United States, with continuous uptime monitoring and automated failover.
24/7 infrastructure monitoring: Industry-leading intrusion detection systems continuously monitor for anomalies, with an on-call team responding to all alerts.
Scoped payer access: When Chariot connects to a payer portal on your behalf, it interacts only with the specific fields needed to receive grant payments and retrieve gift data.
Compliance & Third-Party Audits
SOC 2, Type 2 Certified
Chariot has achieved SOC 2 Type 2 certification, meaning an independent auditor has verified that Chariot's security controls are not only designed correctly, but have been operating effectively over an extended observation period. Documentation is available upon request via Chariot's public Trust Center at trust.givechariot.com.
Request Chariot's SOC 2 report: If your organization's security team or auditors need to review the full SOC 2 report, contact your Chariot team to request access.
Third-Party Penetration Testing
Chariot engages external security researchers to conduct penetration tests — simulated attacks designed to identify vulnerabilities before they can be exploited. Results are reviewed and remediated on an ongoing basis.
Encryption
In transit — All data transmitted between your browser and Chariot is encrypted using TLS (Transport Layer Security).
At rest — Donor data and financial records stored in Chariot's systems are encrypted at rest.
Payer data feeds — Data received from payers (such as Fidelity Charitable's daily CSV reports) is processed through automated, encrypted pipelines. No Chariot employee handles raw donor data.
Access Controls
Chariot enforces strict access controls internally:
Chariot employees do not have access to your raw donor data or financial account credentials.
Automated systems handle data ingestion, matching, and processing.
All system access is logged and auditable.
Flow of Funds & Data
When a payer is linked to Chariot, both payment deposits and donor data are automatically routed through your Chariot Deposit Account before transferring to your operating account. The diagram below shows the full flow for all payment source types:
Understanding how money moves through the system helps with both security reviews and accounting setup:
Donor gives through a DAF sponsor, workplace giving platform, or other charitable vehicle.
Payer processes the grant and sends funds via ACH or mailed check.
Funds arrive in your Chariot Deposit Account at Column N.A. assuming the payment source is linked to your account.
Chariot matches the deposit to donor-level data from the payer's data feed.
Your team reviews the matched donations, applies coding via Policies, and exports to your CRM.
Your team transfers funds from the CDA to your operating bank on your schedule.
At every step, funds remain in FDIC-insured accounts. Chariot is the technology layer that matches data to payments — it does not hold or custody your funds.
Key Takeaways:
Chariot only receives grant payments and gift data. It cannot manage payer accounts or change settings.
Unique virtual account numbers per payer are used for internal ledgering only and do not affect how funds flow to your organization
Funds are legally yours as soon as they settle in your Chariot Deposit Account — there is no need to wait for a transfer to your operating account to consider them in your possession.
Compliance & Documentation
SOC II Compliance
Chariot Trust Center
Security, Compliance, & Banking
Terms of Service
Team Management
Privacy Policy
Digital Mailbox Terms
Frequently Asked Questions
Last updated