Data Security for Nonprofits

We’ve all seen the headlines…systems hacked on Giving Tuesday. Data breaches. Stolen credit cards. For nonprofits, protecting donor data goes well beyond a legal obligation. Donors have chosen to support your mission and your organization, and they are donating valuable resources—money, time, attention, word of mouth—to further your cause. What you do with those resources defines your relationships.

The core of a good relationship is trust. As a nonprofit organization, you must be a trustworthy steward of all donors provide. Central to this is how safe personal and financial donor data is with your nonprofit.

A data breach can have serious consequences for a nonprofit, such as losing trust, reputation, and funding. Moreover, if nonprofits fail to protect their data adequately, they may face legal and regulatory compliance issues.

CharityEngine has always prioritized donor data security. Our largest multinational clients receive the same security benefits as our growing nonprofit clients. In this article, we will quickly explain why security must be a priority and examine the significant measures CharityEngine takes to ensure our clients enjoy impenetrable security for their supporters.

Why Security Matters for Nonprofits

Cybercrime is on the rise. According to the Department of State, billions of dollars are lost annually, and nonprofits are often targeted. What makes these organizations so vulnerable? In addition to collecting and storing sensitive personal information, nonprofits also collect and process donations and, often, use a shopping cart to sell merchandise or experiences. Demographic and financial data and details such as birthdays and anniversaries are irresistible to criminals.

The repercussions of a data breach or cyber attack can be far-reaching. One of our industry’s stalwart companies experienced the theft of sensitive data, including Social Security and bank account numbers. This theft exposed data from thousands of nonprofits and millions of customers. The company suffered significant financial repercussions (they attempted to pay the hacker; they were fined millions by the SEC; and they paid nearly $50 million to settle claims brought by attorney generals of 49 states and Washington, D.C.), but they also suffered a severe hit to their reputation. It’s not just one software vendor, either. One could argue it’s a landscape rife with vulnerabilities.

When trust is the foundation of donor relationships, keeping sensitive data private is the most critical task for nonprofits.

It is, therefore, the most critical task for your fundraising software provider. Here are some key ways CharityEngine ensures our clients’ donor and financial data are kept private and safe.

CharityEngine’s Security Certifications

It might look like a laundry list of acronyms, but every certification earned by CharityEngine means our clients are in exceptionally safe hands. They assure clients that we implement safety protocols, including not maintaining data longer than necessary, and are fully committed to data security.

Let’s walk through some of the primary ways we ensure this protection so that these acronyms are meaningful and convey this primary strength and differentiator.

Payment Card Industry (PCI)

The Payment Card Industry has established a set of requirements to ensure the security of payment card data. These requirements apply to nonprofits that accept, process, store, or transmit credit card data. In almost all cases, your payment processor is responsible, so they must comply with the regulations.

There are different levels of PCI compliance. To meet the minimum requirements, the responsible organization must:

• Take a self-assessment to ensure you understand and are following the guidelines
• Install a firewall between your wireless network and your donors’ cardholder data
• Implement a strong vulnerability management program

Good? Yes. But what’s great—and the highest level of compliance—is certification. CharityEngine is Level 1 PCI-Certified, the highest level of PCI compliance and payment security standards for merchants.

It’s not easy to become certified. It takes about six months, and we adhere to a continuous compliance mindset to maintain our certification.

CharityEngine is audited regularly by a Qualified Security Assessor (QSA) to ensure our software is optimal and our security measures are stringent. They ensure we train our staff and development team well and use industry best practices to develop software; our clients can rest assured that the security of their data is always under a microscope. Your payment card data is safe with CharityEngine.

System and Organization Controls 2 (SOC 2)

SOC 2 compliance and certification are designed to help organizations protect donor data from unauthorized access, both physical and virtual. Specifically, they cover five trust service principles for systems and data.

• Security: Protects system resources from unauthorized access
• Availability: Ensures systems, products, or services are available
• Processing integrity: Ensures data is complete, valid, accurate, timely, and authorized
• Confidentiality: Ensures the confidentiality of the information processed by the organization’s systems
• Privacy: Ensures the privacy of the information processed by the organization’s systems

This framework was developed by the American Institute of Certified Public Accountants (AICPA) and refers entirely to how an organization manages data. A nonprofit using a CRM to store data must ensure the CRM vendor is SOC 2 compliant or certified.

As a Type 2, SOC 2-certified organization, CharityEngine maintains the highest level of certification. A third-party assessor evaluates us periodically to maintain this certification. Your donor data is safe with CharityEngine.

Risk Assessment and Management Program (RAMP)

RAMP, a systematic approach to identifying, assessing, and managing organizational risks, is essential for nonprofits to protect donor information and maintain public trust.

Multiple organizations can set RAMPs. For example, the IRS can set requirements for governance and risk management. Nonprofit umbrella organizations, such as the headquarters of a chapter-based charity, can set rules. States can set RAMP rules.

CharityEngine is TX-RAMP certified. This means that because we have clients associated with Texas state agencies, we maintain certification for the Texas Risk and Authorization Management Program (TX-RAMP).

Why does this matter to any nonprofit that’s not a Texas-state-based nonprofit? It provides more oversight over CharityEngine's operations. It’s another safeguard for data, and it proves that we can maintain compliance and certification with any security regulations posed to us.

Your cloud data, in Texas and elsewhere, is safe with CharityEngine.

Advanced Fraud Protection

In addition to our secure and sophisticated ecosystem, CharityEngine offers patent-pending Advanced Fraud Protection. No other nonprofit CRM vendor offers anything close to this. 

We’ve written about this fraud protection in detail if you’d like to learn more about it or how to access it. But to explain your safety with CharityEngine, our fraud protection can prevent 99% of fraudulent attacks. They never even come close to the payment processor (usually CharityEngine).

Advanced fraud protection will flag and pause transactions before they’re processed. Key fraud identifiers, such as a questionable IP or email address, will be clearly flagged. The system will show you a screen of your pending payments that have been flagged, and you can choose whether or not to process the donation.

With CharityEngine, your nonprofit is safe from fraud.

Nonprofits Benefit from a Secure, Certified Partner

If your head is spinning from all of these rules and requirements, there’s an easy way to know that your donor information is safe: choose a partner with the highest levels of certification.

A partner like CharityEngine can:

• Maintain the highest levels of certification
• Become and remain certified as required by agencies and organizations
• Offer industry-leading fraud protection
• Provide industry best-practices security guidance
• Ensure compliance with standards and regulations
• Reduce the cost and anxiety of security management
• Protect your reputation, enhancing the trust and confidence of donors, board members, and community partners

Shouldn’t every nonprofit take a close look at CharityEngine? We think so. If you’re interested in kicking the tires of our security vehicles, please request a demo. We’d love to show you what we can do.