Security - not only a feature, but an accomplishment
Given the rapidly evolving internet threats and the increase of payment transactions in online fundraising, web security has become a central issue for non-profits.
Web Security for Non-Profits
Cyber attacks cause immense damage every year, both monetarily and in terms of one's own reputation - which is the largest value of an organisation. Compromised organisations also suffer long after a successful hacker attack from the consequences: bad press, negative search engine results, fines by credit card companies due to violations of their security requirements, donors and police declare identity theft or card misuse.
If an organisation does not sufficiently position itself regarding the subject of cyber security, a resulting data incident can result in a loss of public trust. With declining membership and therewith decreasing donations, the organisation runs at risk to not be able to achieve their charitable goals.
Non-profits process a tremendous amount of sensitive personal data, such as donor and donation data, credit card numbers and bank details. All this data must be protected. We can help! With use of the FundraisingBox you are bringing your data into a high-end safety zone and thus technologically secure your reputation. Our software and services allow you to take advantage of our security expertise, which otherwise would be set up very difficulty and costly within your own organisation.
Highly secure and certified data centers
The high security area of the FundraisingBox uses exclusively certified data centers for hosting the applications and data. These implement the highest physical security measures and strict access policies. The data center premises are equipped with a complete video surveillance of doors and entrances as well as numerous motion detection sensors. Access is only possible for authorised staff and is automatically logged. In addition, all entrees require two-factor authentication. The emergency and control center is manned around the clock and is supported by security services. Uninterrupted power supply and backup systems, as well as fire and flood prevention measures, facilitate locations for maximum security.
Decoupling of cash flows
Our sandbox technology provides a dedicated high-security area within your website. As such you are able to further handle personal information, as well as process payment information on your website, without this data coming into contact with your own server or your own content management system (CMS).
This approach is also the recommendation of the Federal German Office for Security in Information Technology (BSI) and the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), since the most installed CMS systems like Drupal, Joomla, Wordpress and Typo3, as well as their included underlying servers, are often not adequately maintained and protected. According to the latest CMS study, the content management system alone requires 15 minutes of daily manual security measures in order to harden it to the maximum.
PCI certification included
If you plan to collect donations and recurring payments with credit card, then you must be PCI certified. The Payment Card Industry Data Security Standard, commonly abbreviated as PCI or PCI-DSS is a set of rules intended to ensure the diligent and protected handling of credit card data.
The system applies to the entire card payment industry and is supported by all the major credit card companies (American Express, JCB, MasterCard, Discover Financial Services and Visa).
Each "merchant" that stores, processes, or even simply transmits card data is obliged to comply with the twelve extensive security requirements and to file an appropriate organisational and technical security certification. This causes a great amount of effort and high recurring costs. Through the use of the FundraisingBox these extensive external and internal PCI implementation expenses and regular compliance checks are no longer required.
Comprehensive network protection with maximum availability
Our network is continuously monitored and undergoes regular threat assessments, such as external penetration tests and vulnerability scans. The complete software infrastructure is continuously updated and new security updates are downloaded immediately after publication. All servers are shielded by resilient firewalls that govern exactly which network resources can be accessed. The FundraisingBox is operated in parallel in multiple data centers. Thus the complete hardware is designed to be fully redundant, i.e. even in case of hardware failure, high availability is guaranteed. If there is an increase in traffic, more server capacity is automatically switched on, so that even major fundraising campaigns can be accompanied failsafe.
The latest data encryption
The FundraisingBox uses the latest technologies and banking practices for data encryption during transmission from and to the FundraisingBox.
The Strict Transport Security policy (HSTS) applies, so that only encrypted connections are accepted. A 2048 bit long RSA key is employed exclusively as safe SSL and TLS protocols and constantly updated encryption algorithms are applied in the Cipher Suites.
Our SSL is further secured by Perfect Forward Secrecy (PFS). An attacker can therefore draw no conclusions about the negotiated last session key, even if he is in possession of the long-term key.
Full Data Protection
We guarantee complete data protection and legally compliant data storage. The processing of personal data is carried out BDSG (Federal German Data Protection Act) compliant and exclusively in the framework of a fulfilled contract.
As a customer you also have the opportunity to conclude a Data Processing Agreement with us. We gladly provide this agreement so that no additional expenses arise here, while still allowing you to perfectly fulfill your legal requirements.
The headquarters of Wikando GmbH, the operator of FundraisingBox, is in Germany (Augsburg) and all data centers used are within Europe. All safety-relevant processes of FundraisingBox are audited regularly.
Employees are trained extensively and regularly regarding the topic of security and are committed to data secrecy under § 5 BDSG (Federal German Data Protection Act). Moreover, strict password policies, consistent two-factor authentication and logging of all relevant operations apply. For all your data offsite backups are created and stored securely and encrypted to multiple server locations daily.
Security for your employees
Within your FundraisingBox you can view the data and usage rights of your employees and easily limit and extend these with a click. This allows you to define, for example, access for roles such as fundraiser, agency and accounting.
Each employee can have their own access. In addition to a username / password combination, you can further secure every access with a two-factor smart key. This means your staff then also needs a physical dongle (called YubiKey) which must be inserted into the USB port of the PC / laptop, so that logging into the FundraisingBox is made possible.
That means, even if a Trojan or a man-in-the-middle reads the password, it is unable to access the FundraisingBox without this chip key.
All accounts are naturally protected from brute force attacks, so that after repeated incorrect entry of the login information the usage access is automatically blocked.
In addition there are a number of other security measures such as those against session hijacking.