How Xerish protects what matters.
The platform that carries generosity has to be worthy of it. Here's the engineering posture: where data lives, where money lives, what we measure, and how to report a vulnerability.
Defense in depth.
Xerish runs on Supabase (PostgreSQL with Row Level Security) and serverless edge functions. Every table in the public schema has RLS enabled, and policies are written against the acting user's JWT — never trusting client-supplied identifiers.
Database functions that touch financial state, admin actions, or webhook routes use Postgres' SECURITY DEFINER with a pinned search_path, and execution is revoked from the public role + anonymous role — they are reachable only by authenticated users (who hit internal role checks) or the trusted service-role token.
Long-running edge functions emit structured JSON logs to Supabase's log stream. Error capture across mobile + admin + website goes to Sentry.
Stripe moves the money; the charity of record holds it.
Wallet balances are tracked in Xerish's database, but the charitable funds they represent are held by Xerish Storehouse, the Donor-Advised Fund Sponsor of record (501(c)(3) recognition pending), with money movement running on Stripe's Connect ecosystem. The application operator, Xerish SPC, does not custody charitable balances. Wallet top-ups create Stripe charges to Storehouse; grants reach a recipient organization's Stripe Connect account only after Storehouse's board-approved grant-making framework clears them.
Every financial RPC (wallet top-up, gift, refund, withdrawal) uses an idempotency key supplied by the client, validated server-side. Double-tap races, retried network calls, and webhook redelivery cannot create double charges or double gifts.
Stripe webhook handlers verify HMAC signatures via Deno's SubtleCrypto implementation. Recipient organizations are required to have verified non-profit status before they can receive payouts.
Privacy by default.
Auth is email + password through Supabase Auth, with HaveIBeenPwned password-breach checking enabled. Mobile sessions are stored in expo-secure-store (iOS Keychain / Android Keystore), never in AsyncStorage. The Wallet and Treasury screens carry an opt-in Face ID / Touch ID gate.
Account deletion in-app is immediate: a server RPC anonymises the user's public profile (display name, photo, bio, location), cancels every active recurring gift, and signs them out in the same gesture. The auth row is hard-deleted by a daily worker. There is no waiting list.
The user-blocks list is reachable from Settings → Privacy & Safety. Blocking is bidirectional — blocked accounts cannot see the blocker's content either.
If you found something, tell us.
Xerish welcomes good-faith security research. We don't run a paid bounty program (yet), but every reported issue receives an acknowledgment within 72 hours and a credit in the security thank-you list at launch.
Email security@xerish.com with a description, reproduction steps, and the impact you observed. PGP key on request.
Please avoid: automated scanning against production, sending phishing to real users, testing against the test giver and church accounts (those are reserved for app-store reviewers), or exploiting a finding beyond what's needed to demonstrate it. We'll handle the cleanup; you handle the find.
This is a plain-language summary of how charitable giving is structured on Xerish. It is a general description, not legal or tax advice — consult your own advisor for your situation.
Two entities. One is the charity of record.
Xerish SPC (a Washington Social Purpose Corporation, EIN 42-1881594) builds and operates the app and the payment rails. Xerish Storehouse (a Washington nonprofit organized as a 501(c)(3) Donor-Advised Fund Sponsor, EIN pending) is the charity of record that receives charitable contributions and makes grants.
When you top up your wallet, you make an irrevocable charitable contribution to Xerish Storehouse. Storehouse holds the contributed funds and, under IRS donor-advised-fund rules, retains exclusive legal control over them; the gifts you make inside the app are advisory grant recommendations, not transfers you can reverse.
Funds reach a recipient organization only after that organization clears the Storehouse Pre-Approved Recipient List and the Board-approved grant-making framework — F.I.G.S. vetting plus 501(c)(3) verification. Xerish Storehouse, not the giver, is the donee of record and issues the tax acknowledgment.
While the Sponsor's IRS determination is pending, contributions are received under an interim fiscal sponsorship partner arrangement. The interim sponsor is not named in public materials.
Fees, in plain terms: a 2.5% flat service fee is paid to Xerish SPC at wallet top-up — additive to payment-processor fees, never combined. Wallet-to-organization giving carries a 0% fee. Neither fee is a charitable contribution. Full terms live in the Donor Advisory Agreement and the Terms of Service.
The platform that carries generosity must be worthy of it.
Security is not a feature shipped once. It is the practice of a faithful steward.
“A faithful man will abound with blessings, but whoever hastens to be rich will not go unpunished.”
Proverbs 28:20