GiveGab Security and Reliability
Your privacy matters to everyone here at GiveGab. We go above and beyond to ensure your data remains secure and you have confidence in using our reliable platforms.
Security and Reliability at the Core
GiveGab is a PCI-DSS Level I and SOC 1 Type 2 certified organization. We undergo an annual audit by an external QSA, which is typically performed and completed in Q2. Security requirements to be certified for both of these standards are rigid. As part of this, we are constantly performing external infrastructure scans as well as internal code scanning. Additionally, we are required to undergo and pass external penetration tests to ensure our systems and data are not vulnerable to security breaches.
Standards We Follow:
- PCI-DSS Level 1 (certified)
- SOC 1 Type 2 (certified)
Product Security & Reliability
We enable permission levels within the app to be set for your teammates. Permissions can be set to allow levels of access to your organization's profile including to organization settings and donor data.
Password and Credential Storage
GiveGab enforces a password complexity standard and session timeouts which force re-authentication. Credentials are stored using one-way secure hashing encryption.
In-App WAF (RASP)
GiveGab makes extensive use of Sqreen as its in-app WAF and RASP for real-time protection against bad actors from the network level down to application level detection and blocking.
We aim for 99.9% uptime. In 2019, we had 99.9% uptime. You can check our past month stats at http://status.givegab.com.
Industry Standard Libraries
We use popular, open-source, well-maintained industry standard libraries such as CanCan and Devise to implement our authorization and authentication rules. These libraries are monitored automatically by our Code Repository tool, GitHub, for vulnerabilities and security patches.
Infrastructure Security & Reliability
Modern Cloud TechnologiesAll platform servers, databases, and network infrastructure are hosted in the Cloud and receive the benefit of industry leading security practices and standards.
Our Giving Day, Philanthropy Hub, Community Giving, Crowdfunding, and Boost P2P platforms run on Heroku as its PaaS, which is backed by AWS as the IaaS. Backup PaaS/IaaS are IBM Cloud. Backup DBaaS is Google Cloud.
Our Enterprise platform runs in Rackspace data centers within its own virtual private network.
Failover & Disaster Recovery
GiveGab was built with disaster recovery in mind. All systems and databases are fault-tolerant and highly-available and employ redundancy across multiple zones and regions.Our Giving Day, Philanthropy Hub, Community Giving, Crowdfunding, and Boost P2P platforms are elastically scalable through automation. As traffic volume increases, we add more servers. If anyone server has issues, we can seamlessly pull it out of rotation without service impact.
Permissions & Authentication
Access to Cloud services and system platforms is limited to authorized employees who require it for their job.
GiveGab is served 100% over https. GiveGab runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on GiveGab’s network.
Additionally, all system administrators are required to authenticate using multi-factor authentication (MFA) to ensure access to cloud services are protected.
Data Security & Reliability
All data is encrypted at rest using AES 256 encryption.
In addition to the real-time replication that is happening to read-only follower databases in different regions and zones, we take cold backups hourly and archive them in both AWS S3 and Google Cloud encrypted.
We do not store any cardholder data. We only store and interact with payment processors through the use of secure card and bank account tokens.
Network & Transport Security
All traffic is served over HTTPS/TLS 1.2, load-balanced, and securely cached by our CDN, Fastly.
Our CDN delivers content from edge servers around the world to reduce latency between the user making the request and where the content is served up from.
Fastly as well as Sqreen provide WAF protection from vulnerability scans and attempted attacks around the world.
Pentests & Vulnerability Scans
GiveGab uses third party security tools to continuously scan for vulnerabilities. Our engineering team responds to issues raised.
Annually we engage third-party security experts to perform detailed penetration tests on the GiveGab application and infrastructure.
GiveGab monitors its systems 24 x 7 x 365 using various tools.
On an application level, we produce audit logs for all activity within Papertrail for further analysis. Logs are archived in S3 in perpetuity.
Security Policies & Processes
All employees complete Security and Awareness training annually and while onboarding as a new employee.
GiveGab has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
GiveGab performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
All employee contracts include a confidentiality and business protection agreement.
GiveGab implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Data Retention and Usage
GiveGab allows users the ability to enter data into our systems as an administrator at an organization or as a donor or volunteer. We retain this data in perpetuity.
GiveGab provides the ability for users to export data about their profile. This data is exportable from the system by logging into the platform and downloading history in a commonly-used, machine-readable format.
If a user no longer has access to the platform, they can contact firstname.lastname@example.org to receive a report of extracted data if they are authorized for access to that data.
While we are contractually obligated to keep information about interactions and transactions with our customers, we provide our users the ability to be "forgotten" in our platform and we will work with them to anonymize their PII.
GiveGab only collects PII to support its true business needs and to support the true business needs of its customers. We do not sell any PII data to other vendors. We do not leverage PII data for unrelated needs outside of online fundraising, volunteer and donor management.
Processes We Implement
- Fraud Review and Detection
- Card Run Detection and Prevention
- Disaster Recovery
- Business Continuity
- Internal Security Audits
- PII and Donor Data Handling Processes
GiveGab's engineering teams follow a formalized workflow that includes peer code reviews, QA reviews, and performance reviews for all code being produced.
TestingGiveGab runs Continuous Integration Testing for every single code commit, which runs automated spec and integration testing, automated coding standards grading, as well as integrated security scans.
Additionally, we load test our systems at least quarterly and are moving towards running Continuous Load Testing.
We perform Accessibility Testing and Reviews as well as Automated Top-Down Regression Testing before each deploy.