Campaign data is sensitive. Voter contact information, donor prospects, and canvass results deserve serious protection. Here is exactly how LocalSeat keeps your data safe.
All data between your browser and LocalSeat servers is encrypted using TLS. The platform runs exclusively over HTTPS. Unencrypted HTTP connections are rejected.
Passwords are hashed using bcrypt before storage. We never store plain-text passwords. Password reset links are time-limited and single-use.
Every user has a defined role. Canvassers see only their assigned lists. Campaign data is never accessible across campaign boundaries. Each campaign is fully isolated.
All significant actions within the platform are logged with user, role, timestamp, and campaign. Campaign managers can review activity at any time. Logs cannot be altered by campaign users.
Login attempts are rate-limited to prevent brute-force attacks against campaign accounts. Repeated failed attempts trigger temporary lockout.
All new accounts are prompted to verify their email address. A persistent banner encourages verification, with escalating urgency after 7 days. Verification tokens are time-limited and single-use.
The PostgreSQL database port is not publicly accessible. Database connections are restricted to the application server only. Campaign data is scoped by campaign ID on every query.
LocalSeat runs on a dedicated VPS hosted in Canada. Your campaign data does not leave Canadian infrastructure. SSL certificates are managed via Let's Encrypt with automatic renewal.
Security is also about what you choose not to do. LocalSeat does not:
If you discover a security vulnerability in the LocalSeat platform, we ask that you report it to us privately before disclosing it publicly. We take all reports seriously and will work to resolve confirmed vulnerabilities promptly.
Email us at info@localseat.io with a description of the vulnerability and steps to reproduce it. Please do not include sensitive campaign data in your report.
We will acknowledge receipt within one business day and provide a resolution timeline as quickly as possible. We will not take legal action against good-faith security researchers.