Ballot anonymity
When you vote on OrgPoll, no one can see how you voted — not your admin, not us.
We do record that you voted on a poll (so we can prevent double-voting and show admins turnout), but never what you voted for, tied to your identity. The two records — who voted, and which options received votes — live in separate tables (VoteReceipts and Votes) with no shared column linking them.
This is a structural guarantee, not a cryptographic one. The database itself does not store the link. We don't issue verifiable cryptographic receipts (see What we don't claim below).
Audit log
Every meaningful action is recorded in an admin-visible audit log. Admins can view the org's full history inside the app at /audit, plus per-poll history on each poll's detail page. The log covers poll lifecycle (created, published, closed), member changes (invited, role changed, removed), and a vote-cast row for every vote — which records that the vote happened, never what was voted for.
The audit log is append-only. Admins can read entries but cannot edit or delete them.
What we don't claim
OrgPoll is built for voluntary internal elections in small organizations. There are a few things we explicitly are NOT, and don't claim to be — if any of these are deal-breakers, OrgPoll is not the right tool:
— SOC 2: we have not completed a SOC 2 Type I or Type II audit. — ISO 27001: we have not been certified. — Cryptographic verifiability: we don't issue Helios-style cryptographic receipts. If you need every voter to mathematically verify their vote was counted, OrgPoll is not the right tool. — Statutory HOA elections: state laws in some jurisdictions require paper ballots, supervised polling, or certified election services. We aren't certified for those purposes. — NLRB-supervised union elections: these have specific procedural requirements we don't meet. — Government, civic, or municipal elections: different threat model. Look at Helios, POLYAS, or a certified civic vendor. — High-coercion voting environments: hostile-takeover proxy fights, whistleblower votes — wrong threat model. — Native mobile apps: OrgPoll is a web app. — SMS, phone, or IVR voting: we don't accept votes over text or phone.
Data residency and sub-processors
Here's everyone who touches your data:
— Microsoft Azure for hosting (Azure App Service + Azure SQL Database + Azure Static Web Apps). Currently US-East region. — Clerk for identity. Clerk manages user accounts, sessions, and JWTs. See Clerk's security posture at clerk.com/security.
We don't use any other sub-processor for processing customer poll or vote data today. Billing runs through Clerk's billing module on a flat-rate annual plan; card data is handled by Clerk's payment processor.
Encryption in transit
All traffic between your browser and OrgPoll runs over HTTPS. Both the API (Azure App Service) and the web app (Azure Static Web Apps) force TLS on every request — plain-HTTP requests are refused in production.
Encryption at rest
The database (Azure SQL Database) uses Transparent Data Encryption — disk-level encryption that's on by default. Backups inherit the same encryption.