WhistleStop HQ

Security

Last updated: June 8, 2026

Your campaign HQ holds some of your most sensitive work — opposition research, strategy, donor activity, and private notes. Protecting it isn’t an add-on for us; it’s built into the platform. Here’s how, in plain terms.

Your account stays yours

  • Multi-factor authentication is required. Even if someone learned your password, they can’t get in without the second factor on your device.
  • Bots and break-in attempts are stopped at the door. Automated attacks — the kind that hammer a login page trying thousands of password combinations — are detected and blocked in real time, while you keep working normally.
  • Suspicious sign-ins are challenged, not ignored. If a login looks wrong (a brand-new device, or two sign-ins from impossibly far apart), we ask for a one-time email code to confirm it’s really you.
  • You’re signed out automatically when you step away. Sessions end after a period of inactivity — and you control how long — so an unattended screen isn’t an open door.

Your data is walled off

  • Every campaign is isolated from every other. Your information is separated at the database level, so one campaign can never see another’s — by design, not just by policy.
  • You decide what your own team sees. Consultants, staff, and volunteers get exactly the access you grant them, section by section, and every action is logged. You can change or revoke access instantly. Financial controls are never delegable — they always stay with you.
  • Your information travels encrypted. Everything between your browser and our servers is protected in transit.

Your fundraising is handled the right way

  • Donations run on Stripe, the same payments infrastructure trusted by millions of businesses, with its own fraud screening on every transaction.
  • Funds go straight to your campaign’s account — they never pass through us, and we take no cut of your donations.

Built for campaigns specifically

Campaigns are targets. We tune our protections so that real attacks are stopped while you are never locked out at the worst possible moment — when a login is flagged, we verify it’s you and let you through, rather than slamming the door before a debate or a deadline.

Questions about security? Email security@whistlestop.ai — we’re happy to walk your team through any of it.