Donorbox uses Stripe's secure token mechanism. Card numbers are tokenized (the number is changed to an undecipherable string, IE: `tok_fafds23423') before we charge the card. Saved cards & bank accounts for recurring donations are also tokenized. Therefore, Donorbox doesn't have any record of the donor's card number in our database and logs. That means hackers will never get sensitive card or bank information from us.


Donorbox is PCI compliant under "PCI validation: SAQ A". We utilize Stripe Elements technology that has financial input fields which are done securely in Stripe's iframe. Stripe is certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.


The transmission between the donors, the Donorbox form, and Stripe is encrypted using 256bit SSL/TLS. Stripe is one of the most secure and trusted payment providers. It is used by Twitter, Shopify, Kickstarter, and Lyft.