Security

How we protect your information and how to report a concern.

Last updated: June 29, 2026

Protecting the information our community trusts us with is a priority. This page describes the safeguards we use to keep your data safe and explains how to responsibly report a potential security issue.

Our commitment

Big Little Cupcake Foundation works to protect the confidentiality, integrity, and availability of the personal information we hold — including event registrations, newsletter subscriptions, and donation records. Security is an ongoing process, and we review and improve our practices over time.

How we protect your data

  • Encryption in transit — our website is served over HTTPS, so information exchanged with us is encrypted in transit.
  • Reputable infrastructure — we rely on established hosting, database, and email providers that maintain their own security and compliance programs.
  • Data minimization — we collect only the information we need to run our programs, and we limit who can access it. See our Privacy Policy for details on retention and your rights.

Payment security

Donations are processed by Stripe, a PCI-DSS Level 1 certified payment provider. Payment card details are handled directly by Stripe’s secure systems — we do not collect or store full card numbers on our servers. This means your most sensitive payment information never touches our infrastructure.

Administrative safeguards

  • Multi-factor authentication — access to our administrative tools requires multi-factor authentication.
  • Least-privilege access — personal information is accessible only to authorized team members who need it to operate our programs.
  • Account protections — administrative accounts are protected with strong authentication and enrollment verification.

Application safeguards

  • Cross-site request forgery protection — our public forms are protected against CSRF.
  • Bot and abuse protection — we use bot-protection technology to defend our forms against spam and automated abuse.
  • Input validation — submissions are validated on the server before they are processed or stored.

Your role in staying secure

Security is a shared responsibility. Please keep any confirmation or account details private, use a strong and unique password where applicable, and be cautious of messages asking for sensitive information.

We will never ask for your full payment card number, passwords, or one-time security codes by email or phone. If you receive such a request claiming to be from us, please do not respond and let us know at info@biglittlecupcake.org.

Reporting a vulnerability

We value the work of security researchers and the broader community in keeping our supporters safe. If you believe you have found a security vulnerability or have a concern about how data is handled, please email info@biglittlecupcake.org and include:

  • A description of the issue and its potential impact.
  • Steps to reproduce it, including any URLs, payloads, or proof-of-concept details.
  • Any relevant screenshots or logs.

We will acknowledge your report, investigate promptly, and keep you informed as we work toward a resolution.

Responsible-disclosure guidelines

When researching or reporting a potential issue, we ask that you:

  • Give us a reasonable opportunity to investigate and address the issue before disclosing it publicly.
  • Avoid accessing, modifying, or deleting data that does not belong to you.
  • Avoid privacy violations, service disruption, and any activity that could harm our community or systems.
  • Only interact with accounts you own or have explicit permission to test.

We will not pursue or support legal action against researchers who act in good faith and follow these guidelines.

Changes to this page

We may update this Security page as our practices evolve. The “Last updated” date above reflects the latest revision.

Contact us

For any security question or report, contact us at info@biglittlecupcake.org.

You can also reach our team any time through our contact page.