Conneli
Conneli

Security

Effective Date: March 1, 2026Last Updated: March 1, 2026

Conneli Inc. (“Conneli”, “we”, “us”, or “our”) treats security as a core product requirement. Our platform is designed to help associations manage operational data responsibly, and we continuously work to protect the confidentiality, integrity, and availability of the information entrusted to us. This Security page summarizes our security practices, controls, and compliance approach. It is provided for transparency and does not form part of the Terms of Service.

Security Governance

  • Security ownership: Security is owned at the executive level and integrated into engineering and operations.
  • Risk management: We identify, assess, and address security risks as part of product planning and ongoing operations.
  • Policies and procedures: We maintain internal security policies covering access control, data handling, incident response, and change management.
  • Training: Personnel with access to production systems are expected to follow security best practices and internal procedures.

Compliance and Assurance

SOC 2

Conneli is pursuing SOC 2 (Security) compliance and intends to maintain ongoing alignment with SOC 2 controls as we scale. Our roadmap includes formalizing control documentation, evidence collection, and periodic third-party assessment.

Additional frameworks

As customer needs evolve, we will align with other applicable standards and requirements (for example: customer-requested security questionnaires, vendor risk programs, and sector-specific expectations).

Data Protection

Encryption

  • In transit: We use encrypted transport (TLS/HTTPS) for data transmitted between clients and our services.
  • At rest: We use industry-standard encryption mechanisms provided by our infrastructure and vendors where supported.

Data minimization

  • We collect and process only the data necessary to deliver the Services.
  • Associations control what member fields are collected and stored within their tenant.

Data ownership and export

  • Associations retain ownership of their data.
  • Associations may request an export of their data by contacting Conneli; exports will be provided in a commercially reasonable format.

Data retention

  • We retain data as needed to provide the Services and for legitimate operational purposes.
  • For archived accounts, we do not guarantee indefinite retention and may delete archived data after a commercially reasonable period.

Access Control

  • Least privilege: Access to production systems is restricted to authorized personnel who require access to perform their duties.
  • Role-based access: Platform permissions are designed around roles and tenant boundaries.
  • Authentication: Administrative access is protected using strong authentication controls.
  • Review and removal: Access is reviewed and removed when no longer needed.

Application Security

  • Secure development practices: We incorporate security considerations into design, implementation, and deployment.
  • Dependency management: We monitor and update third-party dependencies to reduce exposure to known vulnerabilities.
  • Change control: Changes are reviewed and deployed through controlled processes.
  • Testing: We use automated and manual testing practices to reduce regressions and security defects.

Logging, Monitoring, and Abuse Detection

  • We maintain logs of important system and security events.
  • We monitor for anomalous activity and potential misuse, and we investigate signals indicating elevated risk.
  • Where appropriate, we may suspend or terminate accounts involved in prohibited activity as described in our Terms of Service.

Logging and monitoring are designed to protect the platform and its users. We do not sell personal information or use security telemetry for third-party advertising.

Infrastructure and Network Security

  • Segmentation: We use logical separation between environments and tenants where applicable.
  • Hardened configurations: We apply secure configuration practices to infrastructure components.
  • Vendor risk: We rely on reputable infrastructure and service providers and expect them to maintain strong security programs.
  • Backups and recovery: We maintain backup and recovery practices appropriate to the platform’s needs.

Incident Response

We maintain an incident response approach intended to:

  • Triage and contain security events
  • Investigate root cause
  • Remediate and prevent recurrence
  • Communicate with affected customers when appropriate

Where legally required or appropriate, we will notify impacted customers of a confirmed security incident involving their data, along with relevant details we can share safely.

Responsible Disclosure

If you believe you have discovered a security vulnerability, we appreciate responsible disclosure. Please email security@conneli.com with details. Do not attempt to access data that is not your own, degrade service availability, or perform disruptive testing.

Subprocessors and Third Parties

Conneli may use third-party service providers to deliver parts of the Services (for example, payment processing, hosting, email delivery, and monitoring). We require subprocessors to protect information and to use it only to provide services to Conneli. Subprocessor details may be made available upon request as our program matures.

Customer Responsibilities

Security is a shared responsibility. Associations are responsible for:

  • Using strong passwords and protecting account credentials
  • Assigning appropriate roles and permissions to their users
  • Maintaining accurate admin contact information
  • Ensuring the content they upload complies with applicable law and their internal policies

Contact

For security questions or requests, contact:
Conneli Inc.
Winnipeg, Manitoba, Canada
Email: security@conneli.com