Security Settings

Protecting your organization's data, your team's accounts, and your volunteers' personal information is essential. NeedBridge provides role-based access control, secure API key management, and best practices for keeping your organization safe. This guide covers the security settings available and recommendations for maintaining a secure environment.

Security Settings Available

Navigate to Settings in the left-hand navigation to access security-related configuration options. Security settings are distributed across several sections:

  • User management -- Control who has access and what they can do.
  • API keys -- Manage external access to your organization's data.
  • Billing -- Payment security is handled through Stripe's secure portal.

Access Control: Role-Based Permissions

NeedBridge uses role-based access control to ensure that each team member has access only to what they need. There are four roles, each with different permissions:

Case Worker

  • Can create and manage their own needs
  • Can view and communicate with volunteers who claim their needs
  • Cannot access settings, user management, or organization-wide reports

Coordinator

  • Can view and manage needs in their assigned areas
  • Can approve needs and new users in their areas
  • Can view reports scoped to their areas
  • Cannot access organization-wide settings or billing

Organization Admin

  • Full access to all needs, users, volunteers, and reports across the organization
  • Can access and modify all settings
  • Can manage billing and plan

Executive Admin

  • Same permissions as Organization Admin with additional administrative capabilities

Best Practices for Access Control

  • Assign the minimum role necessary. Not every team member needs admin access. Give case workers the case worker role and coordinators the coordinator role.
  • Review roles regularly. When someone changes responsibilities, update their role to match.
  • Remove access promptly. When a team member leaves the organization, deactivate their account immediately.

API Key Security

API keys grant external applications access to your organization's data. Treat them with the same care as passwords:

  • Use one key per integration. If one integration is compromised, you can revoke that key without disrupting others.
  • Never share keys in insecure channels. Do not send API keys via email or chat. Use a password manager or secure vault.
  • Do not embed keys in client-side code. API keys should only be used in server-side applications or trusted integration platforms.
  • Revoke unused keys. If an integration is no longer active, revoke its key.
  • Rotate keys periodically. For sensitive integrations, create a new key, update the integration, and then revoke the old key.

See the API Keys article for detailed instructions on creating and managing keys.

Data Protection

NeedBridge takes several measures to protect your data:

  • Encryption in transit -- All data transmitted between your browser and NeedBridge is encrypted using HTTPS/TLS.
  • Secure payment processing -- Payment information is handled by Stripe and is never stored on NeedBridge servers.
  • Access logging -- Administrative actions are logged so you can audit who changed what and when.

Protecting Client Privacy

Your organization's needs may reference sensitive information about the people you serve. Follow these guidelines:

  • Never include identifying information in need titles or descriptions. No client names, addresses, phone numbers, or other personal details.
  • Share logistics directly with volunteers after they claim a need, not in the public need description.
  • Train your team on privacy practices. Make sure case workers and coordinators understand what information is appropriate to include in needs.

Protecting Volunteer Data

Volunteer personal information (name, email, phone, address) is collected during signup and stored securely:

  • Limit access to volunteer data. Only team members who need contact information to coordinate need fulfillment should access it.
  • Do not share volunteer lists externally without appropriate consent and data handling agreements.
  • Honor unsubscribe requests. When a volunteer unsubscribes, respect their decision and stop all email communications.

Best Practices for Organization Security

  • Use strong passwords. Encourage all team members to use unique, strong passwords for their NeedBridge accounts.
  • Keep your team roster current. Deactivate accounts for people who no longer need access. Review the user list quarterly.
  • Monitor the activity log. Periodically review administrative actions to ensure nothing unexpected has occurred.
  • Educate your team. Share these security practices with your case workers and coordinators. Security is a team effort.
  • Report suspicious activity. If you notice unauthorized access or unexpected changes, contact NeedBridge support immediately.

Tips

  • Start with the principle of least privilege. Give each person the minimum access they need to do their job.
  • Audit API keys and user accounts together. When you review your user list, also review your API key list. Both represent access to your organization's data.
  • Make privacy training part of onboarding. Every new team member should understand the rules about client privacy and volunteer data before they start using the system.