DonorPerfect Online Security
Security in the online world of data management is a critical issue that must be addressed when moving vital business processes and data to an internet application. SofterWare and DonorPerfect understand this importance and the great responsibility that comes with it.
SofterWare and DonorPerfect are committed to ensuring that your data is safe, secure, and available when you need it. To this end, we rely not only on our own expertise, but we also partner with industry experts in both the technology and the non-profit industries, commit the proper resources, and engage regular independent reviews to ensure your security and peace of mind.
Note that some of the content contained within this document includes technical specifications, abbreviations, and descriptions intended for individuals more familiar with Internet security issues. We will happily provide more information, explanations, or reference material for any of the information discussed.
When adopting any internet-based application, there are several unique security concerns that must be taken into account for your protection. These include:
- Network Reliability, Hardware Redundancy, and Data Backups
- Prevention of Unauthorized Data Interceptions
- Prevention of Hacking Intrusions/Denial of Service
- Physical Site Protection
- An Independent Attestation of Security
To ensure we address each of these key issues (and more), we have partnered with Amazon Web Services (AWS), one of the largest and most respected server hosting facilities in the world. AWS brings a level of security, scalability, and redundancy, matched by few in their field. AWS is a fully accredited SSAE16, SOC, PCI-DSS level 1, and ISO-9001/27001 certified hosting facility. More information and certification information is available here.
A Note for our Canadian Customers
All Canadian DPO customers are hosted in Canada by AWS Canada. AWS has a Canadian region located in Quebec. Data is physically hosted in Quebec and AWS facilitates access from Toronto and Vancouver.
Network Reliability, Hardware Redundancy, and Data Backups
The events of 9/11 revealed the devastation that can be caused by a single, malicious event. However, most catastrophic events that threaten enterprise applications are actually of natural origin. Floods, fire, and earthquakes can inflict devastating amounts of damage on facilities and equipment. DonorPerfect Online provides network, facility backup and disaster recovery options that ensure maximum availability and high integrity of application data.
Both of our providers supply a fully redundant network architecture with high-speed connections between all locations and the internet itself. Uninterruptible power supplies, multiple power grid suppliers, backup generators, and diverse geographic locations provide the highest degree of power availability possible to their data centers.
Both hosting providers utilize the best, most up-to-date technologies to provide fast, efficient and accurate data transport. Utilizing their own private direct data routing options, multiple internet upstream providers, and peering relationships with numerous internet partners, our providers ensure high performance, plus 24/7/365 network monitoring by a state-of-the-art Network Operations Center (NOC) – all backed by the strength of trusted and stable industry leaders. Our providers offer numerous points of presence and dozens of global data centers, in the US, Canada, and Europe. So, whether you’re a large multi-site fundraising operation or simply need to support multiple users across a LAN, you’ll have the performance and reliability you need to keep your business moving.
Superior Network Support
DonorPerfect and our hosting providers employ 24/7/365 network monitoring, which provides real-time alarming, forecasting, and event notification. Round-the-clock application and server monitoring automatically alerts DonorPerfect support teams and administration via email, text and phone messaging to congestion, performance degradations, or server issues.
Highly Scalable Architecture
Our elastic cloud-based architecture provides nearly instantaneous hardware capacity upgrade capabilities – allowing us to add capacity and increase our hardware resources quickly and efficiently in response to seasonal spikes as well as sudden and unexpected fundraising events.
DonorPerfect Online creates daily full backups of all data. Additional full database backups are stored in geographically dispersed locations as an added means of recovery should it be needed. Clients wishing copies of their own DonorPerfect data can download it from within the application using our export module, which allows you to select and customize the information you’d like to see- including some or all of the data.
In addition, for clients who prefer a more automated approach, we offer DonorPerfect Online “External Backup Assurance” – a service which allows clients to obtain a complete copy of their data, in zipped/csv format – every night – via a secure File Transfer Protocol (Secure FTP) process. External Backup Assurance ensures that clients can always have a local copy of their latest data for an additional layer of comfort and flexibility.
Unauthorized Data Interceptions
All DonorPerfect Online communication is secured with 128-bit Secure Sockets Layer / Transport Layer Security (SSL/TLS) encryption, a PCI and industry-standard level of security and privacy for those wishing to conduct secure transactions over the internet. The SSL/TLS protocol protects HTTP transmissions over the internet by encrypting all data in transit, ensuring that your transactions are not subject to “sniffing” by a third party. Only your users, with the right combination of a DonorPerfect Online ID and Password, can access your data.
SSL /TLS is used in tandem with a digital certificate. This digital certificate gives you the assurance that you are connecting only to a legitimate DonorPerfect Online server, and not that of an impostor. The certificate contains information about who owns and authorized the certificate (company name, domain name, contact address, etc.), encryption levels used, as well as information about the issuing Certificate Authority. DonorPerfect Online uses certificates generated by VeriSign and GoDaddy, two of the world’s largest providers of authorized digital certificates.
Hacking Intrusions/Denial of Service
Unauthorized Intrusion (commonly called “hacking”) generally takes one of two forms. One form can be an attempt to gain unauthorized access to data or the application. Another form can be an attempt to deny service to other users by tying up server resources or disabling the server.
Unauthorized Access – Authentication via username and password provides assurance that a client requesting information is the entity it claims to be. In DonorPerfect Online, you control the IDs and passwords for your organization – and can adjust key parameters such as how often passwords must be changed and how much notification you want your users to receive
DonorPerfect also provides additional layers of password security protection within its environment. To prevent brute-force password hacking, invalid login attempts are tracked and logged within the system and accounts are locked out after a number of failed attempts. Critical user information, such as a user’s password, is encrypted within our databases. Access to your DPO system by DonorPerfect support employees is highly restricted and logged. Password resets are performed through an industry-standard self-service process – so even our support staff has no knowledge of your passwords. Email notifications are sent to account holders any time a password is changed.
Access control settings allow you to limit the functionality available and types of information that someone can access after being identified as an authorized user on the system. This allows you to set up users who can only access certain areas of the application, perform only certain tasks, or see only certain information. For example, the system administrator has rights to all areas, while a volunteer may have read-only access to volunteer information.
Database activity logs record information about the username, time of login and logout, the user’s IP address, and other information about each DonorPerfect session. This data can be used for auditing purposes and to provide admissible evidence in court proceedings.
Intrusion Detection and Denial of Service – Monitoring of the DonorPerfect Online application and the hosting environment is performed 24 hours per day by automated intrusion monitoring software that alerts DonorPerfect staff to possible issues within the environment
Physical Site Protection
All AWS and Peer1 data centers are physically secured server facilities designed to keep your fundraising information safe. Facilities have keycard and biometric entry, video surveillance and are staffed by technical support people 24 hours a day, 7 days a week. Servers are located in a temperature-controlled, locked locations that can only be accessed by technicians for authorized maintenance. All maintenance activity is pre-authorized, scheduled during off-hours maintenance windows, and all technicians are required to pass background screenings prior to access.
An Independent Attestation of Security
SofterWare and DonorPerfect regularly engage highly reputable, external security assessment organizations to perform detailed reviews and penetration testing of our infrastructure, hosting, and software in order to provide the highest level of assurance that our applications are secure.
In December of 2020, PivotPoint Security, an independent security assessment organization with extensive experience in the non-profit industry, was engaged to perform such an assessment and provide a letter of attestation. The test included an extremely detailed review of the DonorPerfect software and server infrastructure environment. (A copy of their attestation is included below – an original authenticated copy is available to you on request).
PivotPoint’s review determined that SofterWare’s systems were secured in a manner consistent with industry best practice, and notably better than those of peer organizations that we have tested.
The team responsible for conducting the security assessments was led by a Certified Information Security Auditor/IRCA ISO 27001 Auditor and included personnel appropriately qualified to render this opinion (e.g., Certified Information System Security Professionals, Microsoft Certified System Engineers, Certified Ethical Hackers, etc.)
Moving critical fundraising applications to the Internet requires a known, trusted partner. For over 30 years, SofterWare has provided more than 15,000 clients with the stability and security that they need.
DonorPerfect Online continues this legacy and is committed to earning and keeping that trust, utilizing our staff’s extensive expertise and our powerful provider relationships to keep your data safe and secure. By allowing us to secure your data, you can focus on your core fundraising needs, and continue to grow your fundraising success.
Attestation of Security
SofterWare engaged an independent organization to conduct a network vulnerability assessment and penetration test.