For us a self-evident service
Given the rapidly evolving internet threats and the increase of payment transactions in online fundraising, web security has become a central issue for non-profits.
Web-Security for Non-Profits
Cyber attacks cause immense damage every year, both in monetary terms and in terms of reputation - which is the greatest value of an organization. Compromised organizations continue to suffer long after a hacker attack occurs, with bad press, negative search engine hits, credit card company fines for violations of their security requirements, donors and police reporting identity theft or card fraud.
If an organization does not make enough provision for cybersecurity, a resulting data incident can lead to a loss of public confidence. With decreasing membership and the resulting decline in donations, the organization runs the risk of being unable to meet its charitable goals in the worst case scenario.
Non-profits process a tremendous amount of sensitive personal data, such as donor and donation data, credit card numbers and bank details. All this data must be protected. We can help! With use of the FundraisingBox you are bringing your data into a high-end safety zone and thus technologically secure your reputation. Our software and services allow you to take advantage of our security expertise, which otherwise would be set up very difficulty and costly within your own organisation.
Highly secure certified data centers in Germany
The high-security area of the FundraisingBox exclusively uses certified data centers in Germany for the hosting of applications and data. These use the highest physical security measures and strict access guidelines. The data center site is equipped with seamless video surveillance on doors and entrances as well as numerous motion detectors. Access is only possible for authorized employees and is automatically logged. All access requires two-factor authentication. The emergency call and operations control center is staffed around the clock and is supported by security guards. Fail-safe energy supply and backup systems as well as fire and flood protection measures ensure maximum safety in the storage locations.
Decoupling of cash flows
Through our sandbox technology you create a dedicated high-security area within your website. This allows you to process both personal information and payment data on your website, without your own server or your own content management system (CMS) come into contact with this data.
This procedure corresponds to the recommendation of the Federal Office for Information Security (BSI) and the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT). Because both the most frequently used CMS systems such as Drupal, Joomla, Wordpress and Typo3, as well as their underlying servers are often not sufficiently maintained and protected. According to the current CMS study, the content management system alone requires a manual security effort of 15 minutes per day to maximize security and keep it up-to-date.
PCI certification included
If you plan to raise donations and recurring payments by credit card, then you need to be PCI certified. The Payment Card Industry Data Security Standard, commonly abbreviated as PCI or PCI-DSS, is a set of rules designed to ensure the careful and secure use of credit card information.
The system applies to the entire card payment industry and is supported by all the major credit card companies (American Express, JCB, MasterCard, Discover Financial Services and Visa).
Any "merchant" who stores, processes or even transmits cards is required to comply with the twelve extensive security requirements and to issue an appropriate organizational and technical security certification. This causes a great deal of effort and high recurring costs. The use of the FundraisingBox eliminates this extensive external and internal PCI implementation effort as well as the regular compliance checks.
Comprehensive network protection with maximum availability
Our network is continuously monitored and undergoes regular threat assessments, such as external penetration testing and vulnerability scans. The entire software infrastructure is constantly updated and new security updates are immediately downloaded after publication. All servers are shielded by fail-safe firewalls that precisely control which network resources are allowed to be accessed. The FundraisingBox is operated in parallel in several data centers. This means that the complete hardware is designed to be fully redundant, i.e. even in the event of a hardware failure, high availability is guaranteed. If there is a traffic increase, more server capacity will automatically be added, so that even large fundraising campaigns can be accompanied fail-safe.
The latest data encryption
The FundraisingBox uses state-of-the-art technologies and customary data encryption techniques during transmission to and from the FundraisingBox.
The Strict Transport Security Directive (HSTS) applies, so that only encrypted connections are accepted. It uses a 2,048-bit RSA key, just as secure SSL and TLS protocols, and always updated encryption algorithms in the cipher suites.
Our SSL is further secured by Perfect Forward Secrecy (PFS). An attacker can therefore draw no conclusions about the negotiated last session key, even if he is in possession of the long-term key.
Comprehensive Data Privacy and GDPR Compliance
We guarantee complete privacy and legally secure data storage. The processing of personal data is GDPR-compliant and exclusively in the context of contract performance.
Of course, as a customer, you have the opportunity to conclude a corresponding data processing agreement (DPA) with us. We are happy to provide you with an DPA so that you will fully meet your legal requirements (without the additional expense of drawing up the agreement).
The headquarters of Wikando GmbH, the operator of the FundraisingBox, is located in Augsburg, Germany, and all data centers are also located in Germany. All security-relevant processes of the fundraising box are regularly audited.
The employees are regularly trained in detail on the subject of security and are committed to data secrecy under § 5 of the German Federal Data Protection Act. In addition, strict password policies, consistent two-factor authentication and logging of all relevant operations apply. For all your data, offsite backups are created daily and stored securely and encrypted in several server locations.
Security for your employees
Within your FundraisingBox, you can view the data and usage rights of your employees and easily restrict or extend them. For example, you can define access for roles such as fundraiser, agency or accounting.
Each employee gets their own access. In addition to a username/password combination, you can further secure each access with a two-factor chip key. This means that your employee then additionally requires a physical dongle (a so-called YubiKey), which is plugged into the USB port of his computer, to be able to log in to the FundraisingBox.
Your advantage: Even if a Trojan or Man-in-the-Middle reads the password, it will not get into your fundraising box without the YubiKey.
Of course, all accounts are protected against brute-force attacks, so that access is automatically blocked if the login details are repeatedly entered incorrectly.
In addition there is protection against many other security risks, such as session hijacking.