GDPR compliance at Fundraise Up

Fundraise Up maintains compliance through regular audits, industry-standard certifications, and clear legal frameworks that govern how we process and protect personal data.

Under GDPR, your organization is the Data Controller for supporter data collected through Fundraise Up. This means you determine the purposes and means of processing personal data. Fundraise Up is the Data Processor, processing personal data on your behalf according to your instructions.

As the Data Controller, you're responsible for ensuring lawful bases for processing, providing privacy notices to supporters, and responding to data subject requests. Fundraise Up supports these obligations by providing tools, documentation, and technical capabilities to help you meet your compliance requirements.

Fundraise Up holds the following certifications:

• SOC 2 Type II: Evaluates controls related to security, availability, processing integrity, confidentiality, and privacy. This independent audit verifies that Fundraise Up maintains appropriate safeguards for customer data.
• PCI DSS Level 1 4.0.1: Ensures compliance with over 300 security control requirements to safeguard transactional data.
• ISO 27001: Fundraise Up is ISO 27001 certified, demonstrating that we maintain appropriate policies, procedures, and safeguards as part of our information security management system (ISMS).

Fundraise Up undergoes annual GDPR-related audits conducted by Thoropass to verify ongoing compliance with data protection standards.

Fundraise Up provides the following legal agreements and compliance materials to support your organization's data protection and procurement requirements:

Legal agreements

• Data Processing Addendum (DPA): Outlines the responsibilities of Fundraise Up and your organization in relation to processing personal data, clarifying the Data Controller and Data Processor relationship. It’s available on our Trust Center page.
• Standard Contractual Clauses (SCCs): Included in the DPA to ensure lawful international data transfers from the EU/EEA.
• UK International Data Transfer Addendum (UK IDTA): Included in the DPA to ensure lawful data transfers from the UK.

Compliance documentation

• Data Protection Impact Assessments (DPIA): Documentation, mappings, and responses to support your DPIA process.
• Vendor due diligence: Comprehensive documentation for procurement and security reviews.
• SOC 2 reports: Available under non-disclosure agreement for detailed security and compliance verification.

To request any of these materials, email legal@fundraiseup.com or visit our Trust Center page.

GDPR grants individuals specific rights over their personal data. Fundraise Up supports organizations in facilitating these data subject rights:

• Right of access. Supporters can request access to their personal data.
• Right to erasure. Supporters can request that their personal data be deleted.
• Right to rectification. Supporters can request correction of inaccurate personal data.
• Right to object. Supporters can object to certain types of processing, such as direct marketing.

Fundraise Up provides tools and processes to help organizations respond to these requests. To submit a request, email support@fundraiseup.com and specify which data needs to be erased.

Fundraise Up implements multiple layers of security controls and responsible data practices to protect supporter information.

• Encryption. All data is encrypted using TLS 1.2+ and 256-bit AES encryption keys. Full disk encryption protects data-at-rest, while private networks secure data-in-transit for personal data.
• Role-based access control (RBAC). Access is limited based on job responsibilities using the principle of "Just Enough Access." The Dashboard includes audit logs for access analysis.
• Multi-factor authentication (MFA). Available for Dashboard users through SMS or authenticator app to add an extra layer of account security.
• Single sign-on (SSO). Supported through SAML 2.0 to centralize account control and simplify the login process.
• Audit logs. User actions and access are tracked for security analysis and compliance verification.

Access to your data is limited to client-facing teams who are fully aware of the sensitivities involved. Data handling responsibilities are defined in Fundraise Up's Privacy Policy and Data Protection and Handling Policy, which are mandated and monitored under SOC 2 protocols.

• Data minimization. Fundraise Up collects only the information necessary for processing donations and supporting your fundraising operations. Optional fields are available when additional data is needed.
• No selling of personal data. Fundraise Up never sells personal data under any circumstances.
• Data retention. While your account is active, Fundraise Up retains records to support ongoing operations and meet regulatory requirements. Organizations that require a specific retention period can agree on a time frame for deletion, with a 5-year minimum currently available.
• Data residency. Fundraise Up operates SOC 2, PCI DSS Level 1, and ISO 27001 certified data servers in the United States, European Union, and Canada to store supporter data.
• Payment data handling. Stripe, our payment processor, handles all PCI data. Fundraise Up stores only the last four digits of card numbers, expiry dates, and brand names for fraud prevention and receipt display purposes. Both Stripe and Fundraise Up are PCI DSS Level 1 compliant.

When an account is closed, Fundraise Up revokes access to client-facing teams. If requested, Fundraise Up can delete client personal data after the account is closed. Fundraise Up retains transaction-related data points in accordance with applicable laws (name, email, donation amounts, payment method, and in certain jurisdictions mailing address). These are stored in an encrypted format with limited access permissions and are only accessed if needed for regulatory purposes.

Fundraise Up processes and stores the following categories of personal data:

• Basic supporter information. Name, email, mailing address, phone number.
• Technical data. Geolocation, device details, browser information.
• Payment information. Last four digits and expiry dates of card or bank details.
• Other donation-related data. Family member details, tribute information, and other data provided during the donation process.

The data transfers do not include health information or any special or sensitive categories of personal data.

Fundraise Up provides built-in tools to request and manage communication permissions and cookie consent from supporters. These tools help organizations meet GDPR requirements while keeping the donation experience smooth.

Marketing consent settings are configured at the campaign level and help organizations obtain explicit, informed consent from supporters before any form of communication. Organizations can choose from three consent types:

• No consent. The checkout form proceeds without requesting communication permission. Use this option when your organization operates in regions without strict consent requirements, has other mechanisms for obtaining consent, or does not plan to contact supporters for marketing purposes.
• General consent. Requests overall permission to communicate with supporters through a single checkbox, regardless of the channel. Use this option for a straightforward consent process when your communication strategy spans multiple channels.
• Customized consent. Lets supporters choose their preferred communication channels separately, including email, SMS, phone calls, postal mail, and social media. Use this option when operating in GDPR-affected regions or when detailed control over communication preferences is needed.

You can enable the option to show consent forms only in regions that commonly require explicit user consent. When this option is enabled, consent forms appear only to supporters who are physically located in the following regions at the time of donation (based on common regulatory requirements): EU member states, EEA (Iceland, Norway, and Liechtenstein), Australia, Canada, Brazil, India, South Korea, Switzerland, and the United Kingdom.

To access marketing consent settings, go to Campaigns > [Your campaign] > Settings > Marketing consent.

Marketing consent in campaign settings

Fundraise Up uses only first-party cookies (never third-party) to ensure the platform functions properly, detect and prevent fraud, and understand how supporters interact with your donation experience. Cookies fall into four categories:

• Strictly necessary (fundraiseup_cid, fundraiseup_consent). Required for platform security and fraud prevention. These cookies cannot be blocked. Storage period: 400 days.
• Functional (fundraiseup_func). Supports enhanced functionality and personalization, for example by storing supporter preferences and previous interactions. Storage period: deleted when the browser is closed.
• Performance (fundraiseup_stat). Collects anonymous statistics about how visitors use the site to improve performance and usability. Storage period: deleted when the browser is closed.
• Marketing (fundraiseup_mark). Tracks whether events may be sent to third-party analytics and marketing platforms such as Google Analytics and Meta Pixel from your Campaign Pages. Used only on Campaign Pages, not in the Checkout Modal. Storage period: deleted when the browser is closed.

Fundraise Up does not set third-party cookies. However, if you configure third-party analytics services (such as Google Analytics or Meta Pixel) on your Campaign Pages, those services may set their own cookies according to your configuration and the user's consent preferences.

Campaign Pages include a built-in cookie banner that automatically displays to site visitors in regions with strict privacy laws, including the EU/EEA, the UK, and Quebec (Canada). No setup or configuration is required.

A built-in cookie banner on a Campaign Page

The banner presents supporters with options to reject, accept, or manage their cookies. If they ignore the banner or choose Reject, only strictly necessary cookies are used. If they select Manage, they see descriptions of each cookie type and can allow or reject individual cookie types as they wish.

When the Checkout Modal appears on your organization's website, you must ensure your website's cookie banner reflects the cookies used by Fundraise Up. If you accept donations from supporters in the EU/EEA or the UK, you must add information about Fundraise Up's cookies to your website's cookie banner.

You can configure your cookie banner using:

• Cookie management services. OneTrust, CookieYes, and similar services let you configure cookie categories and obtain user consent.
• Google Tag Manager Consent API. GTM Consent API integrates with your cookie banner to control when cookies are set based on user preferences.
• Content management system. Some content management systems, such as Joomla and Drupal, have built-in cookie banner support.
• Custom implementation. Create a banner using HTML, CSS, and JavaScript with the help of a web developer.

Configure the order of loading and executing scripts on your website so that the cookie banner service code loads and initializes before Fundraise Up's code. This prevents Fundraise Up from setting cookies on the device of a user who then chooses to block some of those cookies through your banner.

Fundraise Up supports integration with the Google Tag Manager (GTM) Consent API, which lets your cookie banner control when cookies are set based on user consent.

To configure this integration:

1. Add the consent script to the <head> section of your website

This script ensures that visitor cookie preferences are communicated correctly to Fundraise Up. Without this step, Fundraise Up sets its own cookies automatically, including non-strictly necessary ones, even if the visitor has not provided consent.

1<script>
2  window.dataLayer = window.dataLayer || [];
3  function gtag(){dataLayer.push(arguments);}
4  gtag('consent', 'default', {
5    'ad_storage': 'denied',
6    'ad_user_data': 'denied',
7    'ad_personalization': 'denied',
8    'analytics_storage': 'denied',
9    'functionality_storage': 'denied',
10    'personalization_storage': 'denied',
11    'security_storage': 'denied'
12  });
13</script>

2. Configure consent types in GTM

In GTM, define consent types (such as analytics, functionality, and marketing) and link them to your cookie banner so that cookies are only set after user approval.

When the setup is complete, Fundraise Up waits for the visitor's consent before setting any cookies. The cookies set depend on the visitor's preferences. The only exception is fundraiseup_cid, which is always set because it's required for security and fraud prevention.

Fundraise Up does not support region-specific behavior for default consent settings. This means cookies are controlled consistently for all visitors, regardless of their geographic location.

Fundraise Up utilizes cloud computing infrastructure to create a scalable and reliable platform. The nature of our services requires us to provide data access to teams based outside of the EU/EEA and the UK.

To enable compliant data transfers, Fundraise Up executes a Data Processing Addendum that includes the UK International Data Transfer Addendum and EU Standard Contractual Clauses. These frameworks ensure that international data transfers comply with GDPR and UK GDPR requirements.

Fundraise Up operates SOC 2, PCI DSS Level 1, and ISO 27001 certified data servers in the United States, European Union, and Canada to store supporter data for EU/EEA and UK organizations.

Fundraise Up uses contractors who act as subprocessors under the GDPR framework. These include cloud infrastructure providers and payment processors necessary to deliver our services.

Before engaging any service provider, Fundraise Up performs due diligence, including vendor security assessments. We review vendor compliance reports on a periodic basis. We also ensure that our subprocessors are contractually required to process personal data only to provide services to Fundraise Up. These contract terms also require compliance with our commitments to clients and applicable data protection laws.

To help keep your donation process aligned with GDPR transparency requirements, your organization should enable the Terms & conditions checkbox in your campaigns. This checkbox prompts supporters to confirm that they have read and agreed with your terms and conditions and other policies before proceeding with their donation.

Terms & conditions in campaign settings

To enable this option:

1. Go to Campaigns > [Your campaign] > Settings > Terms & conditions.
2. Check the box labeled Prompt supporters to accept your terms.
3. Add the text for the checkbox.
4. Link to your Terms and Conditions and any other relevant webpages.
5. Click Save changes.

Do not enable the Checked by default option, as pre-ticked boxes do not constitute valid consent under GDPR for marketing purposes and may not satisfy contractual acceptance requirements in all jurisdictions.

While not strictly required, mentioning Fundraise Up in your organization's privacy policy can help build trust with supporters and demonstrate your commitment to data privacy and security.

Template for mentioning Fundraise Up:

[Nonprofit] uses Fundraise Up as an online donation platform. All donation data collected is subject to the provisions of the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act of 2018 (“CCPA”), and other applicable privacy laws. Non-Personal Information that is collected remains anonymous or non-personally identifiable. All Personally Identifiable Information (PII) is encrypted. Financial information, such as banking information or credit card number, name, CVV code, or expiration date, is collected and stored by a third-party payment processor. Financial information is not stored by Fundraise Up.

Does Fundraise Up have access to PCI data?

Fundraise Up does not have access to PCI data. This is handled exclusively by Stripe, our payment processor. Fundraise Up only stores the last four digits along with the expiry date and brand name. Stripe and Fundraise Up are both PCI DSS Level 1 compliant.

How long does Fundraise Up retain data?

While your account is active, Fundraise Up retains records to support ongoing operations and meet regulatory requirements. Organizations that require a specific retention period can agree on a time frame for deletion, with a 3-year minimum currently available. As the Data Controller, you determine appropriate retention periods based on your legal obligations and legitimate business needs.

What happens to data when an account is closed?

When an account is closed, Fundraise Up revokes access to client-facing teams. If requested, Fundraise Up can delete client personal data after the account is closed. Transaction-related data points (name, email, donation amounts, payment method, and in certain jurisdictions mailing address) are retained in an encrypted format with limited access permissions and are only accessed if needed for regulatory compliance.

Are there any third-party cookies used by Fundraise Up?

No. Fundraise Up does not deploy any third-party cookies.

What happens if a user blocks cookies?

Blocking the fundraiseup_cid cookie affects the proper functioning of the platform and anti-fraud measures, which is why this cookie must be categorized under "strictly necessary" in the cookie banner so that it cannot be blocked. Blocking the fundraiseup_func cookie could affect user experience, as their preferences and previous interactions will not be remembered. Blocking fundraiseup_stat and fundraiseup_mark will not affect the user's experience, but will impact data tracking for that user.

Do you support auto-updating of card expiration dates? Is this GDPR-compliant?

Yes, Fundraise Up supports automatic card updates, and this process is GDPR-compliant. Cardholders authorize their issuing banks to provide updated card numbers to networks and major acquirers. Most issuers require cardholders to consent to participating in the card account updater program as a condition of using their card.

What if we're outside the EU/EEA or UK but accept donations from these regions?

If you accept donations from supporters in the EU/EEA or the UK, GDPR or UK GDPR may apply to your organization depending on whether you're targeting or monitoring individuals in those regions. You should implement appropriate consent mechanisms, cookie banners, and data protection measures as described in this article. Consult with legal counsel to determine your specific compliance obligations.

What happens if we do not show a cookie banner?

If your website accepts donations from EU/EEA or UK citizens, you must display a cookie banner to ensure compliance with GDPR and UK GDPR. Your page will not be blocked if you do not have a cookie banner, but you could face fines and penalties if you are found to be non-compliant with data protection regulations.

Can Fundraise Up help with Data Protection Impact Assessments?

Yes. Fundraise Up provides documentation, mappings, and responses for DPIAs and security reviews. Contact legal@fundraiseup.com for assistance.