Our History and Team
At Benevity, compliance, risk management and security are a state of mind, and not just a checklist. As a global company in the business of Goodness, our products and services are regulated beyond the North American landscape. We have been working hard from our earliest days to make significant investments in our security and compliance practices, providing you with the assurance that your data is safeguarded and that you are partnering with the leader in our industry.
Some of the iconic companies that trust Benevity’s leading security practices:
Since we’ve been at this for many years now, and our clients include some of the world’s most iconic companies with large and sophisticated privacy and security protocols of their own, we have undergone a tremendous amount of due diligence which has produced a maturity and openness that we hope you’ll find refreshing.
Dedicated Team of Security Professionals
People who are passionate about security, compliance, privacy, stopping financial crime and other disciplines are an interesting bunch. If you’d like to meet some of them, stop by our office! Benevity has a dedicated Governance and Controls team which oversees our adherence to an ever-changing and expanding compliance landscape. We also have a dedicated Security Operations team that spends day and night dreaming about zero-days, back doors and distributed denial of service attacks. In addition to extensive industry experience, our people are active members in, hold certifications from, and, in some cases, have held leadership positions in organizations such as:
(ISC)2 which issues the Certified Information Systems Security Professional (CISSP) designation
American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants
Institute of Internal Auditors
Information Systems Audit & Control Association (ISACA) which issues the Certified Information Systems Auditor (CISA) designation
International Association of Privacy Professionals (IAPP) which issues the Certified Information Privacy Professional (CIPP) designation
Industry-leading Certifications and Standards
As a global company, we strive to meet the highest of standards in the regions in which we operate. We realize that each certification we attain is not a destination, but an opportunity to continue to learn from, and partner with, the best security companies in the business, as well as from our clients and business partners seeking to elevate our security story. If you would like copies of these certifications, please reach out to your Benevity contact and they will be happy to provide them to you.
SSAE18 SOC 1
For several years Benevity has issued an annual SSAE 18 SOC 1 Type 2 report. We issue the SOC report to meet the needs of our clients, and the CPAs that audit them, in evaluating our controls and to assist clients in designing their own controls around our services. Ask other vendors if they issue their own SOC reports (they likely don’t!). Most instead rely on those of their hosting providers.
Shared Assessments SIG
Through our membership in the Shared Assessments Program, we pass on the benefits of assessment tools like the Standard Information Gathering (SIG) tool. In addition, our participation in the program means working alongside industry peers to influence and create them.
EU-US Privacy Shield
We are committed to safeguarding the personal information of users on our platform. As a truly global company, we continue to comply with privacy regulations in the international regions our clients are located. As such, we are EU-US and Swiss-US Privacy Shield certified.
Benevity and all the service providers on our platform are Payment Card Industry Data Security Standard (PCI DSS) certified.
Benevity has developed its operational security practices based on guidance from leading industry standards and frameworks, such as COBIT issued by the IT Governance Institute, the ISO 27001 specification for an Information Security Management System (ISMS), the SANS Critical Security Controls and the Cloud Security Alliance’s Cloud Controls Matrix among others.
While each of these standards and frameworks are valuable, they are merely a starting point in the security journey. Our Security Operations team uses principles like “defense in depth” and “privacy by design” to make Benevity’s environment (including all physical locations, IT infrastructure, applications, databases and third-party providers) as secure as possible.
Physical security encompasses all the locations where we operate. That includes business offices, data centers and even our laptops when we’re on the go. As part of Benevity’s security program, the following is true for each of our physical locations:
CCTV cameras are in place and footage is stored per our security policies
Electronic locks with assigned key cards/fobs, which are assigned according to a strict access management procedure for granting, revoking and changing access
Various security zones with restricted access based on job role
All access (successful/failed) attempts are logged, with logs stored per our security policies
All visitors are registered and escorted, with registry stored per our security policies
A clean desk/clean whiteboard policy
As you would expect, the physical security at the data center, where your data is stored and processed, goes above and beyond the standards listed above. Benevity currently uses Amazon Web Services (AWS), a leader in the cloud hosting space, and as such, controls including the following are in place:
Data center access is restricted to AWS employees and contractors
Data centers are controlled by professional security personnel
Redundant power and network services
Fire detection and suppression
Climate and temperature are strictly controlled
Media are handled per NIST 800-88 guidelines for sanitization
Network Infrastructure and Security
We subscribe to the AWS shared responsibility model where AWS operates, manages and controls the components from the virtualization layer down to the physical security of the facilities in which the services operate. Our responsibilities are up the stack from the guest operating system and include the network configuration, databases and applications. This framework and model are made clear to all Benevity teams involved, including our:
Site Reliability Engineering team
Security Operations team
Governance & Controls team
Product Development team
To fulfill this responsibility, Benevity follows industry best practices and subscribes to AWS’s well-architected framework for the design of all our systems.
Security Operations Team
Benevity has a dedicated Security Operations team with many years of combined experience in securing enterprise IT environments, as well as security incident response. In addition, we periodically engage Managed Security Service Providers from reputable, globally recognized companies.
This team has developed a security practice and posture that includes the following:
File integrity monitoring
Intrusion prevention system
Security information and event management
Continuous web application security scanning and business logic assessments conducted by an independent third party
Vulnerability management and patching policy
Network penetration testing conducted by an independent third party
Change Management to Ensure Authorized Changes Only
Change management is the process for ensuring only authorized changes are made to Benevity’s systems. A formal Change Advisory Board is in place and enforces Benevity’s controls over changes to production systems including:
Maintenance and controlled access to a production environment as well as several non-production environments (development, test, staging, etc.)
Ensuring every change to Benevity’s system is appropriately authorized
Testing of changes by dedicated in-house Quality Assurance personnel prior to production
Execution of thousands of automated tests prior to production
Segregation of Duties (SoD); progression of changes through different environments
Maintaining a system of segregation of incompatible duties
Logical security involves controlling access to IT systems and making sure people have a valid reason to access, read or modify business information. Benevity maintains a system of role-based access controls, as well as the necessary processes to support:
Access on a need-to-know and least privilege basis
Documented access requests and approvals
Periodic reviews of access to ensure those who have it still need it
Authentication controls including strong passwords and multi-factor authentication
Security Awareness is Embedded in our Culture
At Benevity, we recognize that security risks go beyond IT systems and include a human element. As such, we direct significant resources towards maintaining a high level of security awareness among our people. This helps them to understand the security requirements of our clients and the regulations we are subject to, as well as emerging security threats. All of our people undergo formal security awareness training and regular phishing simulation testing. In addition, many informal training opportunities are available to our people and take the form of seminars, hands-on activities and question-and-answer sessions with security personnel.
Compliance & Third-Party Partnerships
Our Commitment to Compliance
Benevity’s code of conduct and business ethics holds us to the highest standards of compliance with the laws and regulations in all the regions in which we operate. Our Governance and Controls team works with all our functional areas from Marketing to Finance to ensure we are aware of current and emerging obligations and doing what is required to maintain our commitment to compliance.
What Compliance Means in our Space
Benevity is in the business of Goodness and has products and services that fall under the employee engagement, charitable giving, volunteering and cause marketing umbrellas. Benevity is also a global company and, as such, our products and service offerings are under the oversight of regulators beyond the North American landscape.
Third-Party Partnerships Make us Stronger
Cloud, APIs, virtualization, containers, microservices—oh my! In the modern era, it is very unusual to find a business that doesn’t rely on third parties to be able to deliver its products and services to clients, and Benevity is no exception. We partner with third parties who are the best at what they do and pass that excellence on to our clients. Rest assured, all our third parties undergo rigorous scrutiny before they are accepted into the Benevity ecosystem, as well as continuous monitoring to ensure their governance, risk management and controls remain up to Benevity’s standards. We only do business with companies that issue independent assurance of their compliance with industry standards such as SSAE18, ISO 27001, PCI DSS and the like. In delivering our services, we use the following providers:
Amazon Web Services (AWS) – cloud hosting
BlueSnap – payment processing
CyberSource – payment processing
Foundation Partners (AOGF, AUOGF, COGF, IOGF, NASSCOM, UKOGF) – donation processing
PayPal – payment processing
Trust & Safety in the Charitable Landscape
Benevity has the privilege to be a platform player in the Goodness business. Through our activities in this space, we encounter charities and nonprofits, individual and corporate donors, financial and IT service providers, as well as regulators. We also encounter bad actors. Given these factors, we have put in place several trust and safety measures to deliver complete and accurate transaction processing while keeping the bad people at bay.
Leaders in Global Charity Vetting
Before a cause can take part in our ecosystem, our dedicated vetting team ensures that they are in good standing with the authorities in their region. In addition, our vetting process involves initial and pre-disbursement searches of the organization against a third-party database that aggregates over 1,200 sources for sanctions lists, enforcement actions and adverse media.
Benevity’s team has implemented several fraud detection and prevention measures. These include manual and automated procedures to maintain the integrity of the transactions in our system and minimize abuses by any party that is not trying to do good in the world.
Disaster Recovery and Business Continuity
We all know that bad things happen to good people, and we spend a fair bit of time thinking about the different kinds of risks that threaten our company and our clients’ good work. A dedicated Business Continuity Planning committee is in place and performs periodic business impact assessments as well as overseeing Benevity’s Disaster Recovery Plan and testing of that plan. Data is replicated across two AWS hosting regions, with each region consisting of multiple “availability zones” (independent data centers) to ensure redundancy and high availability. Our recovery time objective is four hours.
Privacy and GDPR
GDPR Compliance for Good
In May 2018, European regulators implemented the General Data Protection Regulation (GDPR). This far-reaching legislation was designed to protect the privacy rights of individuals in the EU and mandates strict standards for how personal data can be used, collected or transferred, regardless of where their personal information is located and processed. GDPR requires data controllers and data processors to implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risks presented.
In response to these changes in the privacy landscape, Benevity enhanced its existing privacy program to comply with the new requirements. This program is based on current regulations, industry best practices from professional associations like the International Association of Privacy Professionals, as well as EU legal guidance and advice on data protection compliance. We have worked with some of the largest employers in the EU, including Privacy Officers, to satisfy GDPR and Works Councils requirements for their programs.