Do you store our member roster on your servers?
No. The roster lives in your data store, on your org's own account. We read it when an officer asks for a member. We do not keep a copy.
Security, privacy & retention
The same baseline ships with every org. No checkbox required.
You should not have to read a security white paper to feel safe handing your roster to a vendor. This page is the short version. Eight defaults, six retention rules, one promise: you own your data and you can leave with all of it.
The baseline
Eight defaults, in plain English.
Read these to your board if you want. Every line is a real protection, on by default, on every plan.
-
Real "not found" page.
If someone asks for a page that doesn't exist, the site says so honestly. Other vendors quietly serve the home page instead — that confuses search engines, audits, and members.
-
Setup folder hidden from the public web.
The folder that holds setup scripts cannot be browsed. The deploy process double-checks this every time we ship.
-
Forced HTTPS and tight browser protections.
Every page is encrypted. The browser-level guards that block sketchy scripts and downgrade attacks are on, by default, with no opt-out.
-
Honest sitemap.
The list of pages we hand to Google is rebuilt every release. No duplicates, no broken links, no stale URLs left over from last year.
-
Magic-link login. No passwords stored.
You click a link in your email and you're in. We don't store passwords, so there's nothing to steal. There is also no "forgot password" email an attacker can use to guess which addresses belong to your members.
-
Short-lived officer access.
An officer's signed-in session refreshes every five minutes behind the scenes and can be revoked with one click. A laptop left open at a coffee shop is not an open door.
-
Secrets can't be committed by accident.
The system that ships our code looks for things that look like passwords, keys, or tokens, and refuses to ship if it finds any. A volunteer can't paste a key into the wrong file and have it land on a public website.
-
Your own payment processor, your money.
Each org connects its own payment processor. Dues flow from your members straight to your bank. We never sit in the middle of the money. We do not take a transaction fee.
Member data
Your roster lives in your own data store.
Member names, emails, phone numbers, household details, dues status — all of it lives in your data store, under your org's own account. We read it on demand. We never copy it anywhere else.
If you ever lose access to 1891 for any reason — vendor goes away, you switch tools, the world catches on fire — your roster is still right where you put it. It always was.
- No member name, email, or phone number is ever checked into our code.
- Officers see the fields they're cleared to see. Peers see the fields the member chose to share. The directory respects each member's privacy choices.
- A member's "make me invisible to peers" toggle works the moment they save it.
Retention
What we keep, for how long, and what we never store.
| What it is | How long we keep it | Notes |
|---|---|---|
| Raw audio (if recorded) | 30 days, then auto-deleted | Most orgs don't store raw audio at all. Captions are live; the audio is discarded as it streams. |
| Live caption transcript | 1 year | Members can search their own meetings during the year. |
| Approved minutes | Permanent | The signed legal record. You can request deletion, but the default is to keep them. |
| Executive session and paused-mic portions | Never recorded, never transcribed | By design. There is no setting that turns this off. |
| Activity log (who did what, when) | 30 days / 1 year / 7 years by plan | Public Sector plan covers most compliance regimes. |
| Consent record | 7 years | Required to defend the org if someone claims they were recorded without permission. |
You can keep things longer than the defaults. You cannot shorten the consent record without a lawyer's sign-off — that one protects your board.
Compliance
Where we are. Where we aren't.
We are honest about both. The short version: every plan is accessible to disability standards. Every plan honors Maryland's two-party-consent rule for recording meetings. The Public Sector plan is the one that adds the public-records and healthcare-adjacent pieces.
Accessibility (WCAG 2.2 AA)
Tested on every page, every release. Read the full contract at /organizations/contract/.
Two-party consent for recording
Every member consents at check-in. A big "RECORDING" sign sits on every shared screen. The chair can pause the mic with one tap for executive session.
Public-records laws (Public Sector plan)
For school boards, town councils, and similar bodies: minutes-publication workflow, public-comment record, and one-click export for records requests.
HIPAA-adjacent work
Not by default. If your org needs a business-associate agreement to handle health-related data, that lives on the Public Sector plan — ask us.
Consent
What happens the moment a mic goes hot.
- Verbal announcement at the start. "This meeting is being audio-recorded for live captions and the transcript."
- Visual announcement. A high-contrast "RECORDING" sign goes on every shared screen and stays there for the whole meeting.
- Per-attendee consent at check-in. The box is unchecked by default. Members who don't consent get their lines kept out of any public version of the transcript.
- One-tap pause for the chair. Executive session, personnel matters, a member in crisis — the chair pauses and nothing in that span is recorded or transcribed.
- End-of-meeting confirmation. The chair confirms recording has stopped before the transcript is closed and filed.
Ownership
You own it. You can leave with it.
Your domain. Your data store. Your payment processor. Your shared drive. Your bank account. Your minutes. Your members. All of it is yours, in your name, on your accounts, for as long as you have them.
If you ever leave us, you get a clean export of everything inside seven business days: every table as a spreadsheet, every published page as a static archive, every approved minutes PDF.
Visibility, enforced. Switch the role on the demo below — see what a public visitor sees, what a logged-in member sees, what an officer sees. The library only ever shows what the role is allowed to see.
- You own: your domain, your data-store contents, your payment processor, your published content, your member data, your approved minutes.
- We own: the platform code, the design system, the vendor agreements, the security baseline.
- If you leave: spreadsheet export of every table, static archive of every public page, copy of every approved minutes file, all delivered within seven business days.
Questions we get
A few we answer on every security review.
Can we get a SOC 2 report?
Not today. 1891 Organizations is built by a small team in Frederick, MD. If a SOC 2 report is a hard requirement from your district or your insurance carrier, ask us about Public Sector — that conversation belongs there.
Where does the meeting audio actually go?
To a captioning vendor for the few seconds it takes to turn speech into captions. Then the audio is gone. If your org chooses to keep a copy, it is written to your shared drive, under your account — never to anything we control.
What happens to a member's data when they leave the organization?
An officer marks them inactive in the data store. The platform sees the change on the next read and stops including them in the directory, broadcasts, and quorum math. Their historical attendance and past dues stay on the books as part of the org's legal record.
Found something?
Tell us. One email, one business day.
Email hello@madeby1891.com with "1891 security" in the subject. We reply within one business day. If the issue is a live exposure of member data, we take the affected org offline first and talk after.
Same defaults on every plan. Your data belongs to you. You can leave with all of it.