Security and Reliability

Permissions

We enable permission levels within the app to be set for your teammates. Permissions can be set to allow levels of access to your organization's profile including to organization settings and donor data.

Password and Credential Storage

GiveGab enforces a password complexity standard and session timeouts which force re-authentication.  Credentials are stored using one-way secure hashing encryption.

In-App WAF (RASP)

GiveGab makes extensive use of Sqreen as its in-app WAF and RASP for real-time protection against bad actors from the network level down to application level detection and blocking.

Uptime

We aim for 99.9% uptime.  In 2021, we had 99.98% uptime. You can check our past month stats at http://status.givegab.com.

Industry Standard Libraries

We use popular, open-source, well-maintained industry standard libraries such as CanCan and Devise to implement our authorization and authentication rules.  These libraries are monitored automatically by our Code Repository tool, GitHub, for vulnerabilities and security patches.

Secure Card and Payment Processing

GiveGab processes all donations directly through secure payment processors which means we do not store credit or debit card data at all, thus significantly reducing the risk of stolen card information.  Our giving day and peer-to-peer platform leverages an industry leading processor by embedding its full checkout experience as an iFrame on our site, which means your card information never touches our servers.  Instead it goes right from your computer to theirs and we never see it or store it in our systems.

Modern Cloud Technologies

All platform servers, databases, and network infrastructure are hosted in the Cloud and receive the benefit of industry leading security practices and standards.

Our Giving Day, Philanthropy Hub, Community Giving, Crowdfunding, and Boost P2P platforms run on Heroku as its PaaS, which is backed by AWS as the IaaS.  Backup PaaS/IaaS are IBM Cloud.  Backup DBaaS is Google Cloud.

Our Enterprise platform runs in Rackspace data centers within its own virtual private network.

Failover & Disaster Recovery

GiveGab was built with disaster recovery in mind. All systems and databases are fault-tolerant and highly-available and employ redundancy across multiple zones and regions.

Our Giving Day, Philanthropy Hub, Community Giving, Crowdfunding, and Boost P2P platforms are elastically scalable through automation.  As traffic volume increases, we add more servers.  If anyone server has issues, we can seamlessly pull it out of rotation without service impact.

Permissions & Authentication

Access to Cloud services and system platforms is limited to authorized employees who require it for their job.

GiveGab is served 100% over https. GiveGab runs a zero-trust corporate network. There are no corporate resources or additional privileges from being on GiveGab’s network.

Additionally, all system administrators are required to authenticate using multi-factor authentication (MFA)  to ensure access to cloud services are protected.

Data Security & Reliability

All data is encrypted at rest using AES 256 encryption.

In addition to the real-time replication that is happening to read-only follower databases in different regions and zones, we take cold backups hourly and archive them in both AWS S3 and Google Cloud encrypted.

We do not store any cardholder data.  We only store and interact with payment processors through the use of secure card and bank account tokens.

Network & Transport Security

All traffic is served over HTTPS/TLS 1.2, load-balanced, and securely cached by our CDN, Fastly.

Our CDN delivers content from edge servers around the world to reduce latency between the user making the request and where the content is served up from.

Fastly as well as Sqreen provide WAF protection from vulnerability scans and attempted attacks around the world.

Pentests & Vulnerability Scans

GiveGab uses third party security tools to continuously scan for vulnerabilities. Our engineering team responds to issues raised.

Annually we engage third-party security experts to perform detailed penetration tests on the GiveGab application and infrastructure.

Monitoring

GiveGab monitors its systems 24 x 7 x 365 using various tools.

On an application level, we produce audit logs for all activity within Papertrail for further analysis.  Logs are archived in S3 in perpetuity.

Training

All employees complete Security and Awareness training annually and while onboarding as a new employee.

Policies

GiveGab has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Employee Vetting

GiveGab performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

Confidentiality

All employee contracts include a confidentiality and business protection agreement.

Incident Response

GiveGab implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Data Retention and Usage

GiveGab allows users the ability to enter data into our systems as an administrator at an organization or as a donor or volunteer.  We retain this data in perpetuity.

GiveGab provides the ability for users to export data about their profile.  This data is exportable from the system by logging into the platform and downloading history in a commonly-used, machine-readable format.

If a user no longer has access to the platform, they can contact support@givegab.com to receive a report of extracted data if they are authorized for access to that data.

While we are contractually obligated to keep information about interactions and transactions with our customers, we provide our users the ability to be "forgotten" in our platform and we will work with them to anonymize their PII.

GiveGab only collects PII to support its true business needs and to support the true business needs of its customers.  We do not sell any PII data to other vendors. We do not leverage PII data for unrelated needs outside of online fundraising, volunteer and donor management.

Processes We Implement

• Fraud Review and Detection
• Card Run Detection and Prevention
• Disaster Recovery
• Business Continuity
• Internal Security Audits
• PII and Donor Data Handling Processes

Workflow

GiveGab's engineering teams follow a formalized workflow that includes peer code reviews, QA reviews, and performance reviews for all code being produced.

Testing

GiveGab runs Continuous Integration Testing for every single code commit, which runs automated spec and integration testing, automated coding standards grading, as well as integrated security scans.

Additionally, we load test our systems at least quarterly and are moving towards running Continuous Load Testing.

We perform Accessibility Testing and Reviews as well as Automated Top-Down Regression Testing before each deploy.

Insurance

GiveGab carries sufficient levels of corporate and technology insurance to help cover information and data security losses if they were to occur.

Security and Threat Intelligence

GiveGab makes extensive use of threat intelligence platforms to actively listen to activity and the state of cybersecurity through Recorded Future.