Security, Privacy and PCI Compliance

Privacy Security

We take security seriously

Thousands of Charities rely on us every day. They trust our software with the capture, validation and processing of the new supporters they meet, whilst fundraising in thousands of cities across the world.

"Nothing is more important to Evergiving than ensuring the security of our customers' information and the protection of new supporters' personal data"
- James Goodridge, CEO and Data Protection Officer, Evergiving

Evergiving is PCI DSS level 1 compliant

Evergiving is Level 1 PCI DSS Certified across the entire business. Level 1 is very different to standard PCI Compliance, which can be achieved by a retail store. It does not rely on others, nor is it claimed as a result of a service provider that has it, nor does it rest on the 'grade' of an encryption method that is 'also used by a bank'.

Level 1 is a whole of business approach to security, designed, built and owned by us. It is audited annually by independent auditors, on-site and with unrestricted access. Every part of our business and platform is in scope for every single one of the hundreds of organisational and technical controls, policies and procedures required by the DSS; with a pass threshold of 100%.

Level 1 requires annual penetration testing and quarterly external vulnerability scans by externally accredited organisations. Level 1 is the level required of payment gateways, financial institutions, and merchants with more than 6 million transactions per year. Level 1 permits Evergiving to store credit card data. It is also what keeps Personal Data secure.

Privacy and personal data

Evergiving continuously monitors changes in regulation in every country we operate in. We always employ appropriate technical and organizational measures to ensure we and our customers comply fully with local data protection legislation.

Evergiving complies fully with GDPR. Learn more about the rules for the protection of personal data inside and outside the EU here.

How we handle personal data

Evergiving fully supports and complies with the rights of any person (known as a Data Subject) whose personal Data is stored and/or processed by Evergiving.

Data Subjects

Personal data is only used and processed to the extent necessary to achieve the purpose for which it was intended. This is decided by the Fundraising Agencies and Charities we work with as the Data controllers, and is monitored by us.

Supporter Personal Data

Evergiving stores and processes Face to Face Fundraising acquired Supporter data in order to take steps at the request of the Data Subject to set up and service donations.  Whether that’s instant payments, a regular gift by direct debit, credit card or by SMS. Data being processed is limited to what is required for the setup of a donation and to allow the supporter to decide their communication preference.

Our software stores and processes Supporters consent to the processing of their personal data for fundraising and marketing purposes.

Fundraiser Personal Data

Evergiving stores and processes Face to Face fundraiser data as provided by the Fundraising Agencies and Charities we work with as the Data Controllers. We allow the Data Controller to legitimately generate a report of hours worked and pay due to Face to Face fundraisers. We also produce reports on performance of Face to Face fundraisers and teams (from anonymised supporter data).

Special Categories of Data

Evergiving will not store or process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, nor allow the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health nor data concerning a natural person’s sex life or sexual orientation.

Data subject rights and requests

Evergiving fully supports and complies with the rights of each Data Subject whose personal Data is stored and/or processed by Evergiving, this includes:

  • Right to Subject Access
  • Right to Rectification
  • Right to Erasure
  • Restriction of Processing
  • Right to Portability
  • Right to object to Profiling/Auto decision making

Requests to the Data Protection Officer (DPO) or at dataprotection@evergiving.com will be responded to within 1 business day. They will be referred to the relevant Data Controller and processed according to their instructions.

"We will keep the Personal Data and PII of supporters and fundraisers private, safe and secure, and comply fully with GDPR."

Collection, Processing and Destruction

Consent

Supporters must consent to marketing communications. Consent must be separate and distinguishable for each purpose for which it is given. To obtain valid consent, it must be clear and unambiguous, using easily accessible plain language catered to the person being communicated with.

Evergiving provides two ways to display consent:

  • In line – consent is placed directly below each contact method
  • As a block – consent is captured as a block below a block of contact methods

Evergiving provides two options for rendering consent:

  • Yes|No radio buttons, neither pre-selected, with mandatory input
  • Yes checkbox, not pre-checked, with optional input

Transactional Communication

Consent is not required for transactional communications.

Emails and SMS can be sent, and a phone call can be made by Data Controllers using the Evergiving platform. To be considered ‘Transactional’ they must be:

  • to one recipient;
  • functional in nature; and
  • triggered by a transaction.

Evergiving monitors compliance of transactional communications.

Data Retention And Destruction

Personal Data should not be retained if there is no longer a business case for doing so. Evergiving provides an anonymisation feature that overwrites all Personal Data with randomised strings. This is in line with ISO/IEC 27001 and allows for the preservation of certain performance statistics unrelated to Personal Data.

Supporter’s Personal Data will be permanently anonymised according to the retention schedule set by each Data Controller. This can be configured by Campaign.

Security and Organisational Methods

Evergiving is Level 1 PCI DSS Certified across the entire business. Level 1 is very different to standard PCI Compliance, which can be achieved by a retail store. It does not rely on others, nor is it claimed as a result of a service provider that has it, nor does it rest on the 'grade' of an encryption method that is 'also used by a bank'.

Level 1 is a whole of business approach to security, designed, built and owned by us. It is audited annually by independent auditors, on-site and with unrestricted access. Every part of our business and platform is in scope for every single one of the hundreds of organisational and technical controls, policies and procedures required by the DSS; with a pass threshold of 100%.

Level 1 requires annual penetration testing and quarterly external vulnerability scans by externally accredited organisations. Level 1 is the level required of payment gateways, financial institutions, and merchants with more than 6 million transactions per year. Level 1 permits Evergiving to store credit card data. It is also what keeps Personal Data secure.

The following is audited annually, on-site, by an external auditor:

Encryption

Evergiving has a Hardware Security Module-based approach to encryption and key management. All Personal Data at rest is encrypted with symmetric keys, known only to the HSMs - which are fully redundant tamper-proof cryptographic modules.

Data is further protected in transmission over a minimum of TLS 1.2. (May 2018).

GPG/PGP including key management is available for securing transfer of flat file exports to the Data Controller.

Robust key management policies and procedures underpin our encryption

Access Control

Customer/Data Controller Access Control

Evergiving has a proprietary software library that implements access controls that permits/restricts access to data and attributes based on the role of the authenticated user. For example, a fundraiser user must authenticate and is only able to input data and cannot access it again.

Internal Access Control

Production systems access is strictly controlled. Approval is granted via multiple documented procedures, and access is only possible via VPN over SSH with multi-factor authentication.

Where personal information is stored in an account, approval is granted via a documented procedure.

Where no longer required or an employee leaves, an off-boarding procedure revokes account access.

Documented approvals are stored in tamper proof change control systems and account access stored in HR systems.

Physical Security

Evergiving’s servers are housed in nondescript facilities, with extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.

Evergiving has no office locations anywhere in the world, so physical security is confined to that of our infrastructure environment. Evergiving does not store any paper of any kind, anywhere.

Network security

Evergiving employs network segregation to logically isolate critical data and internal applications from public-facing services. All system components are hardened according to our Infrastructure Configuration Standards that are aligned with PCI requirements, and based upon CIS/NIST standards.

Firewalls restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.

Host-based firewalls restrict applications from establishing localhost connections over the loopback network interface. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed. Firewall rules are reviewed regularly.

Disaster Recovery

Evergiving employs distributed networks with replicated systems across multiple high availability zones. The infrastructure automatically restores databases in the case of an outage. The platform is designed to dynamically deploy, monitor for failures, and recover failed platform components. It is tested Continuously.

Application Security

Evergiving’s developers each have a minimum 15 years experience in software development. They are highly and continuously trained in and have the principles of information security at the forefront of everything they do. They of course adhere to industry-standard secure coding guidelines, including OWASP and CERT. Technologies for file-integrity monitoring, rootkit detection, anti-virus detection, and intrusion detection are all implemented throughout Evergiving's test and production environments.

We employ strict change control, with diligent peer review mechanisms and monitoring tools.

Supplier Management

Evergiving has formal documented procedures for assessing third party service providers. Sub processors of Personal Data must additionally execute Data Protection Agreements with Evergiving.

Incident Management

Incident response is exercised annually, and any security incident is recorded. There is a transparent escalation and notification procedure in the event of any security breach.

Training and awareness

Our team is security conscious. It's in our blood and we discuss it weekly if not daily. We champion it, understand it, challenge it and never ever step outside of it. We always take the long way round and then look for ways to make something easier within the same bounds that cost us the effort to. Sometimes the long way is the only way. Of course we adhere to minimum standards for training and awareness mandated by our compliance requirements. But it's a drop in the ocean of a cultural approach to information security, from the CEO to our support team. Talk to us: we love making security accessible, understandable and achievable.

Data Processing Agreements (DPA)

If you have not and need to execute a DPA with Evergiving, please email dpa@evergiving.com and we will send you an agreement by return.

FAQ

Do you share Personal Data?

Evergiving will never share Supporter’s Personal Data or Customer Data with any third party.

Where is Personal Data held?

Evergiving servers are in Ireland. All Customer and Supporter Personal Data is stored and processed in the EU region.

Are you a member of the ICO?

As an Australian company, we are not able to register with ICO. We abide fully with the ICO’s mission and guidance.

Who is your Data Protection Officer?

The Chief Executive Officer - James Goodridge. He consents to be contacted at any time on:

James Goodridge
james@evergiving.com
Europe: +44 740 885 4777

I am a Supporter or Fundraiser and I have a Data Subject request, how does this get handled?

Evergiving is a Data Processor. This means that in the first instance, any request made to dataprotection@evergiving.com will be referred to the Data Controller and processed according to their instructions.

What about Data Protection outside the EU?

Evergiving employs appropriate technical and organizational measures to ensure customers are able to fully comply with local data protection legislation. Including:

  • the Australian Privacy Act 1988;
  • the New Zealand Privacy Act 2020; and
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
  • Personal Information Protection Act[1] (PIPA, 개인정보보호법)