/* */

Overview
Certifications
Security
Compliance
Trust & Safety
Privacy

The most secure choice you can make

The most secure choice you can make

We were impressed by Benevity’s industry-leading security practices. This security review was the best we’ve seen.
— Head of Security at a global Fortune 500 manufacturing company

Our History and Team

At Benevity, compliance, risk management and security are a state of mind, and not just a checklist. As a global company in the business of Goodness, our products and services are regulated beyond the North American landscape. We have been working hard from our earliest days to make significant investments in our security and compliance practices, providing you with the assurance that your data is safeguarded and that you are partnering with the leader in our industry.


 

Some of the iconic companies that trust Benevity’s leading security practices:

 
open_graph_logo.png

Since we’ve been at this for many years now, and our clients include some of the world’s most iconic companies with large and sophisticated privacy and security protocols of their own, we have undergone a tremendous amount of due diligence which has produced a maturity and openness that we hope you’ll find refreshing.

Dedicated Team of Security Professionals

People who are passionate about security, compliance, privacy, stopping financial crime and other disciplines are an interesting bunch. If you’d like to meet some of them, stop by our office! Benevity has a dedicated Governance and Controls team which oversees our adherence to an ever-changing and expanding compliance landscape. We also have a dedicated Security Operations team that spends day and night dreaming about zero-days, back doors and distributed denial of service attacks. In addition to extensive industry experience, our people are active members in, hold certifications from, and, in some cases, have held leadership positions in organizations such as:

  • (ISC)2 which issues the Certified Information Systems Security Professional (CISSP) designation

  • American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants

  • Institute of Internal Auditors

  • Information Systems Audit & Control Association (ISACA) which issues the Certified Information Systems Auditor (CISA) designation

  • International Association of Privacy Professionals (IAPP) which issues the Certified Information Privacy Professional (CIPP) designation


Industry-leading Certifications and Standards

As a global company, we strive to meet the highest of standards in the regions in which we operate. We realize that each certification we attain is not a destination, but an opportunity to continue to learn from, and partner with, the best security companies in the business, as well as from our clients and business partners seeking to elevate our security story. If you would like copies of these certifications, please reach out to your Benevity contact and they will be happy to provide them to you.

21972-312_SOC_NonCPA.png

SSAE18 SOC 1

For several years Benevity has issued an annual SSAE 18 SOC 1 Type 2 report. We issue the SOC report to meet the needs of our clients, and the CPAs that audit them, in evaluating our controls and to assist clients in designing their own controls around our services. Ask other vendors if they issue their own SOC reports (they likely don’t!). Most instead rely on those of their hosting providers.

Picture2.png

Shared Assessments SIG

Through our membership in the Shared Assessments Program, we pass on the benefits of assessment tools like the Standard Information Gathering (SIG) tool. In addition, our participation in the program means working alongside industry peers to influence and create them.

Picture4.png

EU-US Privacy Shield

We are committed to safeguarding the personal information of users on our platform. As a truly global company, we continue to comply with privacy regulations in the international regions our clients are located. As such, we are EU-US and Swiss-US Privacy Shield certified.

Picture5.png

PCI DSS

Benevity and all the service providers on our platform are Payment Card Industry Data Security Standard (PCI DSS) certified.


Security Practices

Benevity has developed its operational security practices based on guidance from leading industry standards and frameworks, such as COBIT issued by the IT Governance Institute, the ISO 27001 specification for an Information Security Management System (ISMS), the SANS Critical Security Controls and the Cloud Security Alliance’s Cloud Controls Matrix among others.

While each of these standards and frameworks are valuable, they are merely a starting point in the security journey. Our Security Operations team uses principles like “defense in depth” and “privacy by design” to make Benevity’s environment (including all physical locations, IT infrastructure, applications, databases and third-party providers) as secure as possible.

 
S1.png
 

Physical Security

Physical security encompasses all the locations where we operate. That includes business offices, data centers and even our laptops when we’re on the go. As part of Benevity’s security program, the following is true for each of our physical locations:

  • CCTV cameras are in place and footage is stored per our security policies

  • Electronic locks with assigned key cards/fobs, which are assigned according to a strict access management procedure for granting, revoking and changing access

  • Various security zones with restricted access based on job role

  • All access (successful/failed) attempts are logged, with logs stored per our security policies

  • All visitors are registered and escorted, with registry stored per our security policies

  • A clean desk/clean whiteboard policy

As you would expect, the physical security at the data center, where your data is stored and processed, goes above and beyond the standards listed above. Benevity currently uses Amazon Web Services (AWS), a leader in the cloud hosting space, and as such, controls including the following are in place:

  • Data center access is restricted to AWS employees and contractors

  • Data centers are controlled by professional security personnel

  • Redundant power and network services

  • Fire detection and suppression

  • Climate and temperature are strictly controlled

  • Media are handled per NIST 800-88 guidelines for sanitization

 
S2.png
 

Network Infrastructure and Security

We subscribe to the AWS shared responsibility model where AWS operates, manages and controls the components from the virtualization layer down to the physical security of the facilities in which the services operate. Our responsibilities are up the stack from the guest operating system and include the network configuration, databases and applications. This framework and model are made clear to all Benevity teams involved, including our:

  • Site Reliability Engineering team

  • Security Operations team

  • Governance & Controls team

  • Product Development team

To fulfill this responsibility, Benevity follows industry best practices and subscribes to AWS’s well-architected framework for the design of all our systems.

 
S7.png
 

Security Operations Team

Benevity has a dedicated Security Operations team with many years of combined experience in securing enterprise IT environments, as well as security incident response. In addition, we periodically engage Managed Security Service Providers from reputable, globally recognized companies.

This team has developed a security practice and posture that includes the following:

  • DDOS protection

  • File integrity monitoring

  • Intrusion prevention system

  • Anti-malware

  • Security information and event management

  • Continuous web application security scanning and business logic assessments conducted by an independent third party

  • Vulnerability management and patching policy

  • Network penetration testing conducted by an independent third party

 
s3.png
 

Change Management to Ensure Authorized Changes Only

Change management is the process for ensuring only authorized changes are made to Benevity’s systems. A formal Change Advisory Board is in place and enforces Benevity’s controls over changes to production systems including:

  • Maintenance and controlled access to a production environment as well as several non-production environments (development, test, staging, etc.)

  • Ensuring every change to Benevity’s system is appropriately authorized

  • Testing of changes by dedicated in-house Quality Assurance personnel prior to production

  • Execution of thousands of automated tests prior to production

  • Segregation of Duties (SoD); progression of changes through different environments

  • Maintaining a system of segregation of incompatible duties

 
S5.png
 

Logical Security

Logical security involves controlling access to IT systems and making sure people have a valid reason to access, read or modify business information. Benevity maintains a system of role-based access controls, as well as the necessary processes to support:

  • Access on a need-to-know and least privilege basis

  • Documented access requests and approvals

  • Periodic reviews of access to ensure those who have it still need it

  • Authentication controls including strong passwords and multi-factor authentication

 
S6.png
 

Security Awareness is Embedded in our Culture

At Benevity, we recognize that security risks go beyond IT systems and include a human element. As such, we direct significant resources towards maintaining a high level of security awareness among our people. This helps them to understand the security requirements of our clients and the regulations we are subject to, as well as emerging security threats. All of our people undergo formal security awareness training and regular phishing simulation testing. In addition, many informal training opportunities are available to our people and take the form of seminars, hands-on activities and question-and-answer sessions with security personnel.


Compliance & Third-Party Partnerships

Our Commitment to Compliance

Benevity’s code of conduct and business ethics holds us to the highest standards of compliance with the laws and regulations in all the regions in which we operate. Our Governance and Controls team works with all our functional areas from Marketing to Finance to ensure we are aware of current and emerging obligations and doing what is required to maintain our commitment to compliance.

What Compliance Means in our Space

Benevity is in the business of Goodness and has products and services that fall under the employee engagement, charitable giving, volunteering and cause marketing umbrellas. Benevity is also a global company and, as such, our products and service offerings are under the oversight of regulators beyond the North American landscape.

Third-Party Partnerships Make us Stronger

Cloud, APIs, virtualization, containers, microservices—oh my! In the modern era, it is very unusual to find a business that doesn’t rely on third parties to be able to deliver its products and services to clients, and Benevity is no exception. We partner with third parties who are the best at what they do and pass that excellence on to our clients. Rest assured, all our third parties undergo rigorous scrutiny before they are accepted into the Benevity ecosystem, as well as continuous monitoring to ensure their governance, risk management and controls remain up to Benevity’s standards. We only do business with companies that issue independent assurance of their compliance with industry standards such as SSAE18, ISO 27001, PCI DSS and the like. In delivering our services, we use the following providers:

  • Amazon Web Services (AWS) – cloud hosting

  • BlueSnap – payment processing

  • CyberSource – payment processing

  • Foundation Partners (AOGF, AUOGF, COGF, IOGF, NASSCOM, UKOGF) – donation processing

  • PayPal – payment processing


Trust & Safety in the Charitable Landscape

Benevity has the privilege to be a platform player in the Goodness business. Through our activities in this space, we encounter charities and nonprofits, individual and corporate donors, financial and IT service providers, as well as regulators. We also encounter bad actors. Given these factors, we have put in place several trust and safety measures to deliver complete and accurate transaction processing while keeping the bad people at bay.

Leaders in Global Charity Vetting

Before a cause can take part in our ecosystem, our dedicated vetting team ensures that they are in good standing with the authorities in their region. In addition, our vetting process involves initial and pre-disbursement searches of the organization against a third-party database that aggregates over 1,200 sources for sanctions lists, enforcement actions and adverse media.

Anti-Fraud

Benevity’s team has implemented several fraud detection and prevention measures. These include manual and automated procedures to maintain the integrity of the transactions in our system and minimize abuses by any party that is not trying to do good in the world.

Disaster Recovery and Business Continuity

We all know that bad things happen to good people, and we spend a fair bit of time thinking about the different kinds of risks that threaten our company and our clients’ good work. A dedicated Business Continuity Planning committee is in place and performs periodic business impact assessments as well as overseeing Benevity’s Disaster Recovery Plan and testing of that plan. Data is replicated across two AWS hosting regions, with each region consisting of multiple “availability zones” (independent data centers) to ensure redundancy and high availability. Our recovery time objective is four hours.


Privacy and GDPR

GDPR Compliance for Good

In May 2018, European regulators implemented the General Data Protection Regulation (GDPR). This far-reaching legislation was designed to protect the privacy rights of individuals in the EU and mandates strict standards for how personal data can be used, collected or transferred, regardless of where their personal information is located and processed. GDPR requires data controllers and data processors to implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risks presented.

In response to these changes in the privacy landscape, Benevity enhanced its existing privacy program to comply with the new requirements. This program is based on current regulations, industry best practices from professional associations like the International Association of Privacy Professionals, as well as EU legal guidance and advice on data protection compliance. We have worked with some of the largest employers in the EU, including Privacy Officers, to satisfy GDPR and Works Councils requirements for their programs.

Benevity’s Privacy Policy

To keep everyone informed we publish our privacy policy here, which has been updated with respect to GDPR, and provides information regarding the collection, processing, onward transfer, retention and destruction of personal information. For more information, please contact privacy@benevity.com.