Nonprofits increasingly rely on technology to manage operations, engage donors, and advance their missions. But these digital tools often require partnering with third-party vendors, which can expose organizational and donor data.
That’s why it's crucial to select software vendors with strong nonprofit security measures. Inadequate security can lead to data breaches, exposing sensitive donor information and jeopardizing trust. Cyberattacks can also disrupt operations, causing financial loss and reputational damage.
To protect your donors and organization, security and compliance must be prioritized when evaluating software vendors. Here are ten questions to ask to determine a vendor’s security comprehensiveness.
1. What is their compliance policy?
Compliance with industry standards and regulations ensures that a vendor adheres to best practices for data protection and privacy. This isn’t just a legal requirement — it’s essential for maintaining donor trust and safeguarding sensitive information.
Key compliances to evaluate include:
- ISO 27001: Verifies comprehensive management of information security.
- GDPR: Regulates data protection and privacy in the European Union.
- PCI DSS Level 1: Ensures secure credit card transactions.
- PIPEDA: governs how private sector organizations use personal information in Canada.
- SOC 2: Aligns data management practices with industry standards.
- WCAG 2.1 AA: Ensures web accessibility for all users, including those with disabilities.
Ensuring compliance with these standards demonstrates a vendor's commitment to security and privacy. It’s important to focus on certifications critical to your needs and verify that both the software and its data centers maintain up-to-date certifications. Maintaining compliance is crucial not only for legal reasons but also for preserving the trust of donors and stakeholders.
2. How do they ensure data privacy and protection?
Protecting sensitive information is vital for maintaining donor trust and ensuring the integrity of your organizational data. A robust data privacy and protection policy safeguards against unauthorized access and data breaches.
Among the key data privacy and protection measures to evaluate are:
- Privacy settings: Ensure the solution offers configurable privacy settings to protect Personally Identifiable Information (PII).
- Security features: Look for comprehensive security features like firewalls and encryption.
Any vendor should provide clear documentation on data storage, transmission, and protection, typically found in their security policy. It's also important to verify how each vendor uses AI to handle PII to ensure it doesn't compromise data privacy. Prioritizing these measures helps maintain transparency and secures sensitive information.
3. Do they perform regular security assessments?
Regular security assessments are crucial for identifying and mitigating potential vulnerabilities, ensuring ongoing protection for your organization's data. These assessments help uncover weaknesses in the system that could be exploited by cybercriminals, allowing for timely intervention and strengthening of security measures.
Key aspects of security assessments to evaluate include:
- Comprehensive testing: Confirm if the vendor conducts thorough security testing and evaluations, including vulnerability assessments and penetration testing.
- Assessment frequency: Ask about the frequency of security assessments.
- Third-party evaluations: Check if third parties are involved in risk assessments and how these evaluations are integrated into the security strategy.
Ensure there’s ongoing evidence of security assessments, with penetration testing performed at least annually. Regular assessments help maintain a high level of security by identifying and addressing vulnerabilities before they can be exploited. This proactive approach is essential for protecting sensitive information and maintaining trust with donors and stakeholders.
4. Do they implement anti-fraud measures?
Effective anti-fraud measures are essential for protecting the donor experience and preventing financial losses to maintain the integrity of donation processes. These measures help ensure that all transactions are secure and that donors feel confident their contributions are handled safely.
Check on this important anti-fraud measure:
- Advanced anti-fraud tools: Verify if the platform uses sophisticated tools like machine learning algorithms and behavioral analysis to detect and prevent fraudulent activities.
Anti-fraud measures should be integral to the platform's overall compliance and risk management strategy. Implementing these tools not only safeguards financial transactions but also enhances donor confidence, which is crucial for maintaining ongoing support and trust in the organization.
5. What is their history of security breaches?
Understanding a vendor’s history with security incidents is crucial for assessing their reliability and response capabilities. A company's track record with past breaches can provide valuable insights into its overall security posture and how effectively it manages and mitigates risks.
Essential aspects to evaluate regarding historical security breaches are:
- Disclosure of past incidents: Ask about any previous security breaches or incidents, including how they were managed and resolved.
- Mitigation and response strategies: Inquire about steps taken to prevent future incidents, including policy, technology, and process changes.
Security breaches can severely damage an organization’s reputation and erode trust. Evaluating how well a vendor has managed past incidents is essential. A transparent and proactive approach to handling breaches indicates a vendor's commitment to security and their ability to safeguard your organization’s sensitive information.
6. Do they have a comprehensive incident response plan?
A comprehensive incident response plan minimizes the impact of security breaches, ensuring a company takes swift action to respond to risks and maintain operations. This plan is essential for effectively managing and mitigating the effects of security incidents.
Key aspects of an incident response plan to evaluate include:
- Notification timeliness: Verify the vendor’s commitment to timely notification (typically within 24 hours) in case of a breach.
- Data classification matrix: Ensure the Incident Response Policy includes a matrix to prioritize responses based on data sensitivity.
The policy should outline procedures for detecting, reporting, and responding to security incidents. A well-defined incident response plan ensures that your organization can quickly and effectively address security breaches, minimizing disruption and maintaining the trust of donors and stakeholders.
7. Do they have reliable backup and recovery processes?
Reliable backup and recovery procedures ensure data integrity and operational continuity during data loss or system failures. These processes are essential for minimizing disruption and preserving trust.
Be sure to evaluate these key aspects of backup and recovery:
- Backup frequency and encryption: Determine how often backups are performed and if they are encrypted.
- Retention periods: Check how long backups are retained.
A Business Continuity and Disaster Recovery Plan should outline the frequency of backups, retention periods, and encryption measures. Daily backups that are retained for at least a year are ideal to meet both operational needs and compliance requirements. Ensuring these processes are in place helps maintain data integrity and enables quick recovery in case of data loss or system failures.
8. How do they handle data retention and deletion?
Proper data deletion and retention are crucial for ensuring compliance with data protection laws and maintaining donor trust. Effective management of data lifecycle processes helps protect against unauthorized access, breaches, and misuse.
Evaluate the following aspects of data deletion and retention:
- Data deletion procedures: Ensure that data is completely removed from all systems when no longer needed or upon request, including from backups.
- Data retention policies: Review vendor policies to ensure they comply with legal requirements. Determine how long different types of data are retained and the criteria used for these periods.
The vendor’s Data Protection and Handling Policy should clearly outline data deletion methods. A company shouldn’t retain data longer than necessary, and should securely delete all data to avoid breaches. By ensuring robust data deletion and retention practices, nonprofits can maintain compliance with data protection regulations and safeguard donor information.
9. Are their staff members trained and aware of security issues?
Regular security training and awareness programs are essential for preventing security breaches and ensuring staff are informed about the latest practices and threats. A well-trained staff is a critical line of defense against cyber threats.
Key aspects of staff management to check include:
- Background checks: Ensure comprehensive background checks for employees with access to sensitive data.
- Annual security training: Verify that annual security training covers current practices, threat awareness, and incident response.
- Role-specific training: Determine if the vendor provides role-specific training for different employee roles.
The vendor’s security policy should clearly outline their approach to security training and awareness. Regular and role-specific training ensures that all staff members, from general employees to IT professionals, are equipped with the knowledge needed to prevent breaches and respond effectively to security incidents.
10. What are the admin controls over roles and permissions?
Effective management of user roles and permissions is crucial for maintaining security within a nonprofit’s tech environment. Proper control ensures that only authorized personnel have access to sensitive data, reducing the risk of internal security breaches.
The following are important aspects of admin control over roles and permissions:
- Flexibility of role assignments: Ensure the solution allows administrators to customize roles and permissions based on the specific needs of the organization.
- Ease of management: Assess how easy it is to manage roles and permissions in the platform, including adding, modifying, or removing access without requiring extensive technical support.
Evaluating a vendor's role and permission management capabilities is essential for protecting sensitive information. Effective control over roles and permissions directly impacts data security and operational efficiency, ensuring that access levels can be tailored and quickly adapted to meet the organization’s needs.
Enhance nonprofit security and protect donor data with Fundraise Up
Selecting secure software vendors is essential for nonprofits to protect sensitive organization and donor data and maintain trust. By evaluating the key factors in this third-party security assessment checklist, nonprofit leaders can implement robust security measures, ensure compliance, and uphold operational integrity.
Fundraise Up excels in comprehensive security and compliance measures as the sole online donation platform to publicly affirm ISO 27001 certification. We also maintain SOC II Type 2 and PCI DSS Level 1 compliance as well as 256-bit encryption, tokenized payments, global infrastructure, secure backups, and regular penetration testing. Advanced anti-fraud tools and AI-enhanced monitoring provide additional layers of protection for donor data.
For more information on best-in-class security standards and how to assess potential third-party vendors, download Fundraise Up's comprehensive nonprofit compliance checklist.