Democracy Works Security Overview

  • Updated

Democracy Works’ data and systems are hosted by Amazon Web Services in the public cloud. We automatically measure our security posture against the Center for Internet Security (CIS) benchmarks for AWS and the AWS Foundational Security Best Practices (FSBP) standard.  

Democracy Works incorporates “infrastructure as code” principles into its development processes, allowing us to see a full audit trail of changes to our systems and roll them back if necessary. Democracy Works makes use of AWS services that provide logging and monitoring when changes do occur outside of the normal, auditable processes. All audit logs are encrypted at rest.

Availability & Reliability

Status page

Democracy Works's system availability can be viewed in real-time at https://status.democracy.works.

Service Monitoring

Democracy Works monitors its systems 24x7. The team is alerted where service level objectives are exceeded.

Data Center Security

Environmental Safeguards 

Amazon Web Services (AWS) proactively prepares for potential environmental threats, like natural disasters and fire. Installing automatic sensors and responsive equipment are two ways we safeguard our data centers. Water-detecting devices can alert employees to problems as automatic pumps work to remove liquid and prevent damage. Similarly, automatic fire detection and suppression equipment reduces risk and can notify AWS employees and firefighters of a problem.

Physical Access Control

The physical security of Democracy Works information systems, equipment, and operating environment is controlled by Amazon Web Services (AWS). Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state-of-the-art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical and electronic access to data centers by Amazon employees is logged and audited routinely.

For additional information see: https://aws.amazon.com/security

Data Security

Democracy Works encrypts all traffic to and from its Amazon Web Services (AWS) data center in transit by default. Customer data is encrypted at rest when the underlying technology supports it, and in all cases, access to customer data is controlled through AWS IAM (Identity and Access Management). Internal access to databases containing user data is controlled through a combination of AWS IAM policies and a VPN.

Data Breach Notification

In the event that TurboVote user data is ever exposed in a data breach, Democracy Works will investigate the method and scope of the breach, communicate with affected users (and, where applicable, state regulators), and work to restore system security and user confidence. The incident response is led by the VP Engineering and Principal Engineer, who will coordinate all other activities.

Data Destruction Policy

Media storage devices used to store customer data are classified by AWS as Critical and treated accordingly, as high impact, throughout their life-cycles. AWS has exacting standards on how to install, service, and eventually destroy the devices when they are no longer useful. When a storage device has reached the end of its useful life, AWS decommissions media using techniques detailed in NIST 800-88. Media that stored customer data is not removed from AWS control until it has been securely decommissioned. Learn more.

Democracy Works requires full-disk encryption for employee devices, and laptops are wiped as part of the offboarding process.

Data Encrypted At-rest

Data is encrypted at rest by AWS using an encryption method based on the underlying data store, AES with 256-bit keys. Learn more.

Data Encrypted In-transit

Data is encrypted in transit from a user’s browser to the TurboVote system during signup using TLS version 1.3.

Data Retention Policy

Unless otherwise specified in your agreement, at the conclusion of our partnership, we will remove customizations from your partner site, revoke access to the TurboVote Admin Console, and turn off the mailings feature (if applicable). Ultimately, your partner site URL may redirect to our public site turbovote.org. You will be informed of the date on which you will lose access to the Admin Console, though the User Export can be downloaded prior to partnership dissolution. Democracy Works retains user data and continues to service users through our public site.

Data Storage Location

Data is stored in the United States, primarily in the AWS US West 2 region located in Oregon. For disaster recovery purposes, data backups may be stored in the AWS US East 1 (Virginia) or US East 2 (Ohio) regions. Open authorization data is never transmitted to locations outside of the United States.

Organizational Security

Disaster Recovery

Democracy Works does not have a formal disaster recovery plan. Our data is stored redundantly in multiple AWS Availability Zones in a single region. In addition, we have a multi-region recovery strategy for customer data stored in AWS.

Employee Background Checks

Democracy Works employees undergo a rigorous interview process that includes reference checks, but not criminal background checks.

Employee Security Training

Upon hire, Democracy Works staff are required to read and acknowledge they have read the Employee Handbook, which includes information about handling Confidential and Proprietary Information as well as data security. Employees also undergo annual security awareness training.

Employee Workstations Encrypted

Employee laptops are required to enable FileVault for disk encryption. The hard disk is wiped when returned to the IT administrator.

Limited Employee Access (Principle of Least Privilege)

Democracy Works follows the principle of least privilege when granting employee access to systems. Access to data is limited based on employees' needs. Employee access is reviewed periodically to ensure access levels are aligned with their role--access may be downgraded or revoked at this time. An employee's access is revoked promptly upon termination.

Secure Network Access

All employees with access to cloud systems are required to authenticate with AWS IAM and have a second authentication factor associated with their account. All employees are required to access cloud infrastructure using a VPN. Employee access is reviewed as new employees are hired or leave the organization. Employees who leave the organization have their access promptly terminated.
AWS IAM policies are placed on employees based on job function to limit access to what they need to perform their job duties (principle of least privilege).

Product Security

Password Encryption

TurboVote users do not have a username and password, however TurboVote admin usernames and passwords are stored in Auth0. Auth0 never stores passwords in cleartext--they are always hashed and salted security using bcrypt.

Password Requirements

The TurboVote Admin console has the following password requirements:

  • No more than 2 identical characters in a row
  • Special characters (!@#$%^&*)
  • Lower case (a-z), upper case (A-Z), and numbers (0-9)
  • Must have 14 characters in length
  • Non-empty password required

Multi-factor authentication is available upon request.

Privacy

Privacy Policy

Democracy Works is committed to protecting the privacy of users of our various websites and applications. Our privacy policy is intended to cover all of our websites and applications, including without limitation the following: TurboVote, How to Vote, Votes & Ballots, ElectionMail.org, and Voting Information Project.

GDPR

​​TurboVote is only permitted to be used by U.S. residents. Since the GDPR only applies to data about EU residents, the GDPR does not apply to Democracy Works.

CCPA

Democracy Works is a nonprofit entity, and as such, is generally exempt from the coverage of the CCPA, as provided in Section 1798.140(3) of the CCPA. However, while the statute itself may not be applicable to Democracy Works directly, Democracy Works recognizes that the CCPA is applicable to many of its business partners.

Partners will not provide any employee personal information to Democracy Works in the course of this partnership.

Users may choose to collect, correct, update, or delete the user information they have submitted to us by replying to any text or email notification from TurboVote or by contacting us at privacy@democracy.works.

TCPA

When users sign up on our TurboVote web application, they agree to the following terms and conditions:

By signing up for email and SMS reminders, you agree to TurboVote’s Privacy Policy and Terms of Service. We don't sell your information.

TurboVote doesn’t charge for reminders, but message and data rates may apply for SMS. Text ‘STOP’ at any time to unsubscribe from SMS reminders. For help, reply to any message you receive from us, or email us.

Users can opt out of receiving communications from us by following the unsubscribe link or instructions that we provide in our communications or by emailing privacy@democracy.works.

Additionally, our SMS provider, Twilio, regularly conducts audits against the TurboVote short code to ensure TCPA compliance. Twilio also assists Democracy Works in responding to compliance audits conducted by carriers.

Vulnerability and Threat Management

Intrusion Detection and Prevention

Democracy Works utilizes Intrusion Detection and Prevention Systems (IDP/IPS) with AWS GuardDuty to monitor its cloud environment for suspicious activity and take action to prevent potential security breaches.

Penetration Testing

Democracy Works undergoes an annual security audit by a third party. We disclose information about any high-severity issues to its partners as necessary. Democracy Works completed its last third-party assessment in June 2026. A report is available upon request.

Democracy Works prioritizes audit feedback appropriately in its product development processes and strives to incorporate all “lessons learned” into ongoing application development. 

Frequently Asked Questions

What is TurboVote?

TurboVote, a product of Democracy Works, is an online platform that provides users with the information they need to vote with confidence. Users can sign up for election reminders and get help with voter registration and voting by mail, all in one place. Users can reply to any text or email from TurboVote to get in touch with our help desk staffed by voting experts, who can answer their questions in English or Spanish. Since 2012, over 10 million voters have signed up for TurboVote. 

What is Democracy Works?

Democracy Works is a nonpartisan, nonprofit 501(c)(3) organization that helps Americans vote no matter what, by providing the tools, information, and support needed to confidently participate in elections.

Does my organization provide TurboVote with data?

No. There is no data transfer from your organization to DW or TurboVote. Each user individually opts-in to the Democracy Works Privacy Policy and the TurboVote Terms of Service when they sign up and provide only the information required to complete the steps for the TurboVote services they choose.

Please describe the flow of end user data into and out of Democracy Works systems.

End users input data directly into Democracy Works’ systems through our TurboVote web application. While DW has contractual relationships with corporate, campus, nonprofit, and government entities, those relationships are generally limited to providing a branded version of TurboVote, and supporting partners’ effective use of TurboVote. It is the responsibility of partners to promote their TurboVote site to their consumers, employees, students, constituents, etc.

For example, if ABC Organization enters an agreement with DW, the agreement generally provides the terms under which DW will create a custom, branded version of the TurboVote application that bears ABC Organization’s name, logo and color(s), and the requirements applicable to hosting the application. This does not obligate individuals associated with ABC Organization to use (or provide any data to) the TurboVote website.  ABC Organization may inform its individual users, students, customers, employees, etc. of the application, and when users visit the TurboVote website they enter their information directly into the application. 

DW then processes that data and communicates directly with end users to help them navigate the voter registration process and learn about elections taking place in their community. Depending on the specific terms of the partnership agreement, ABC Organization may have access to some user data.

Who has access to end user data?

Democracy Works staff and select vendors have access to end user data to provide the TurboVote service and support. 

Does Democracy Works sell end-user data?

No, Democracy Works does not sell end user data.

What user information does TurboVote collect?

TurboVote only collects information that is necessary to serve our users. Depending on how a user interacts with our site, TurboVote may collect any of the following: name, address, phone number, email address, birth date, race, political party, TurboVote referral code, voter registration method, and preferred voting method. We do not collect driver's license information or Social Security numbers.

Who owns the data input into the TurboVote application?

For Democracy Works to provide the TurboVote service to users, Democracy Works must manage and own the data input by users in the TurboVote user flow. As between Democracy Works and our business partners, the data is owned by Democracy Works.

What happens at the end of a TurboVote partnership?

Unless otherwise specified in your agreement, at the conclusion of our partnership, Democracy Works will take steps to shut down the partner site. The custom URL will redirect to Democracy Works’ primary site, turbovote.org. End users that signed up on the partner site prior to the end of the partnership will continue to receive text and/or email reminders about their upcoming elections pursuant to Democracy Works’ privacy policy.

What is a TurboVote subsite? What are the subsite fees? Do I have to pay this for a single custom site?

A subsite refers to one or more additional TurboVote sites beyond your primary partner site. Subsites are optional. Partners may be interested in subsites for specific chapters of their organization or affiliated brands, for example. Should a partner request one or more subsites in writing, the subsite fee outlined in the contract would apply.

What insurance coverage does DW have?

As of November 2025, DW insurance coverage includes the following:

  • Commercial liability: $1 million each occurrence
  • General aggregate: $4 million 
  • Automobile: $1 million for rental and non-owned vehicles
  • Excess/umbrella liability: $5 million each occurrence
  • Tech errors and omissions: $1 million
  • Cyber liability: $2 million
  • ERISA/commercial crime: $385,000
  • D&O: $2,000,000

Is TurboVote a mobile app?

No. TurboVote is a mobile-friendly website.

Is TurboVote accessible for screen-readers, colorblind, etc.?

TurboVote is created to be easy to use on any kind of device including mobile, desktop and screen readers. New user interfaces and product improvements are designed with accessibility in mind and are routinely reviewed to ensure TurboVote meets accessibility standards and remains WCAG 2.1 compliant.

How do I report a TurboVote security concern?

Partners work with a dedicated member of our partner support team. Any concerns can be reported to their partner support contact. TurboVote security concerns can also be reported to security@democracy.works.