Infrastructure
We deploy our app on an AWS infrastructure with production-grade secure environments. Our core database runs on enterprise-grade managed databases with replication and failover. We also make use of a number of other cloud service providers for data, storage, monitoring, and notifications. We vet all third-party service providers carefully before using them.
Audits
We engage third-party vendors to do penetration tests and security audits on at least an annual basis.
Incident response
We have a 24/7/365 on-call rotation, which will respond immediately to security incidents. We also respond quickly and transparently to bug and security reports. Incidents and other operational updates are listed here: status.ngpvan.com.
Data access
All core client data is stored in AWS, accessed only over HTTPS and encrypted at rest. We enforce access control policies on all customer data exposed through the application and our APIs.
Employee access
We follow the principle of least privilege in granting employees access to core data, and allow access to private customer data for operational and debugging purposes only.
Application security
Our core application is written on top of a security-hardened web framework which enforces a number of web security measures, including encrypted cookies, cross-site scripting prevention (XSS), and cross-site request forgery (CSRF) prevention.
Infrastructure security
All traffic is served over HTTPS only and uses HSTS. All traffic is behind Cloudflare DDOS and firewall protection as well.
Passwords
Our users authenticate through Google login or passwordless one-time-token system over email.
Third-party services
We use a number of third parties to provide the core Mobilize services in addition to non-core functionality, monitoring, tracking, and analytics. All have been vetted to our security and availability standards.
How we prepare Mobilize for high-traffic season
Ahead of major electoral cycles and high-traffic periods, Mobilize runs a structured preparation program - not just reactive scaling, but proactive hardening.
Before the season:
We run dedicated load testing to simulate peak traffic and validate that the platform can absorb sharp spikes without degrading the experience for users.
We conduct security assessments to identify and address vulnerabilities before they can be exploited.
We improve bot detection and spam filtering to reduce the volume of automated abuse attempts during high-visibility moments.
We refine our on-call playbooks and alerting so our teams can detect and respond to issues faster.
During the season: We monitor performance in real time — including signup processing, communication delivery, and overall system load — so we can respond immediately if anything needs attention.
We've successfully supported major high-traffic electoral moments and have refined this playbook through each cycle. Our goal is that election season feels no different to your users than any other day on Mobilize.
