WalkLists
GPS Routes Team Sync Data Enrichment PDF Walk Lists Mobile App
Political Sales Insurance Roofing
Pricing
Help Center Blog Contact

WalkLists Security & Trust

Last Updated:

Field teams trust WalkLists with voter files, customer contacts, and the records they collect at the door. We treat that data as if it were our own.

This page describes, honestly, how we protect it. For what we collect and why, see our Privacy Policy.

Encryption

  • In transit: all traffic to walklists.com, our APIs, and the mobile apps is encrypted with HTTPS/TLS.
  • At rest: field photos are kept in a private object-storage bucket; passwords are stored only as salted one-way hashes, never in plain text.
  • Payments: card data is handled entirely by Stripe (PCI-DSS Level 1) and never touches our servers.

Access Control

  • Role-based access: every user is an Admin, Manager, or Rep, and each role sees only what it needs. Reps cannot reach organization-wide contacts, lists, billing, or team management.
  • Organization isolation: each organization's data is scoped to that organization; users cannot see another organization's records.
  • Least privilege internally: access to production data is limited to the personnel who need it to operate and support the Services, under confidentiality obligations.

Authentication

  • Email-and-password sign-in with hashed credentials, plus optional Sign in with Google and Sign in with Apple.
  • Enterprise SSO (SAML) is available so larger organizations can use their own identity provider.
  • Volunteers can be given a shareable link to a single assigned walk list without creating an account — they never gain access to your wider data.

Session & Application Security

  • Session cookies are set Secure (HTTPS-only) and HttpOnly with a SameSite policy, and sessions expire automatically.
  • All state-changing requests are protected against cross-site request forgery (CSRF).
  • Error messages shown to non-admin users are scrubbed of technical detail.

Field Photo Privacy

  • Photos are converted to WebP and their embedded EXIF metadata — including any camera-written GPS — is stripped before storage.
  • They are stored in a private bucket and served only through short-lived signed links, never public URLs.

Reliability & Operations

  • Every deployment passes automated health-check gates (application boot, dependent services, schema/environment audit) and rolls back automatically if a gate fails, so a bad release never reaches you.
  • Offline-first mobile logging means field data is queued securely on the device and synced when connectivity returns — nothing is lost in a dead zone.

Our Sub-Processors

We rely on a small set of vetted providers to deliver the Services. Each is bound to protect the data it handles:

  • Stripe — payment processing.
  • Amazon Web Services (SES) — email delivery.
  • CSV2Geo — geocoding, map tiles, and property/roof/hazard enrichment.
  • HERE Technologies — fallback geocoding.
  • DigitalOcean (Spaces) — encrypted photo storage.
  • Google / Apple — optional single sign-in.
  • Pusher — real-time synchronization.
  • ScaleChat — in-app team messaging.
  • NREL / OpenEI / EIA — public solar-estimate data (address only, no contact PII).

Data Ownership & Portability

Your data is yours. Admins can export contacts and field results at any time, and you can request deletion of your account data. We act as a processor for the contact lists you upload — we use them only to provide the Services. See the Privacy Policy for details.

Responsible Disclosure

If you believe you have found a security vulnerability, please tell us before disclosing it publicly. Email [email protected] with the subject "Security" and steps to reproduce. We will acknowledge your report, investigate promptly, and keep you informed. We appreciate good-faith research and will not pursue action against researchers who act responsibly.

A Note on Certifications

We follow widely accepted security practices and are continually improving them. We do not currently hold formal third-party certifications such as SOC 2 or ISO 27001; we will state plainly on this page if and when that changes. We never claim a certification we do not hold.

Contact

  • Email: [email protected]
  • Phone: (616) 439-4102
  • Address: Scale Campaign LLC, Grand Rapids, MI