Supporter information security FAQ

What controls does Fundraise Up have in place to protect sensitive client data?

Fundraise Up is SOC 2 Type II, PCI-DSS Level 1 4.0.1, and ISO27001 compliant. Under these frameworks, we use data encryption, role-based access controls, and Fundraise Up policy protocols to protect all client data, including all supporter PII.

How does Fundraise Up use data encryption to secure my data?

Fundraise Up uses full disk encryption for all data-at-rest so that all data stored in our systems is only accessible through encryption keys. These encryption keys are tightly controlled by engineering personnel and rotated on a scheduled basis. All data-in-transit for PII is handled by a private network exclusively and can only be accessed through the Dashboard. TLS 1.2+ and 256-bit AES encryption keys are used for public network connectivity.

How does Fundraise Up control who can access my data?

The Dashboard uses Role-Based Access Control (RBAC) protocols based on the principle of "Just Enough Access", where access is limited to what's required for individual users to perform their job duties. The Fundraise Up admin dashboards also have audit logs in place for access analysis. Fundraise Up users are provided with only enough access to relevant systems, applications, and information to execute their job responsibilities.

Which personnel within Fundraise Up will have access to my data?

Access to your data is limited to our client-facing teams who are fully aware of the sensitivities involved and our responsibilities as defined in our Privacy Policy and Data Protection and Handling policy, which are mandated and monitored under SOC 2 protocols.

Will Fundraise Up have access to supporters' payment card data?

Fundraise Up does not have access to supporters' payment card data because this is handled exclusively by Stripe. Fundraise Up only stores the last 4 digits along with the expiry date and brand name. Stripe and Fundraise Up are PCI DSS Level 1 compliant, which is the highest industry level of security certification.

Will Fundraise Up have access to my CRM?

Access depends on your integration type. Most Fundraise Up CRM integrations are one-way syncs where we send supporter data to your CRM and only create or update records. Some integrations support two-way data transfer, which allows Fundraise Up to read data from your CRM.

What personal data will Fundraise Up process and store on my behalf?

For each donation record, Fundraise Up stores some information that can be categorized as PII for regulatory purposes. This may include:

• Basic supporter information (name, email, mailing address, phone).
• Supporter tech data (geolocation, device details, browser info).
• Last 4 digits and expiry dates of card or bank details.
• Other miscellaneous data where provided (family member details, tribute information).

Does Fundraise Up process special categories of personal data under GDPR?

No. The personal data we process does not include special categories defined by GDPR, such as health data, racial or ethnic origin, religious beliefs, genetic data, or biometric data.

Is UK or EU supporter data transferred outside of the UK or EU?

Yes. Fundraise Up uses cloud computing infrastructure and our services require us to provide data access to teams based outside the EU. We operate SOC 2, PCI DSS Level 1, and ISO 27001–compliant data servers primarily in the United States, with additional servers in the EU and Canada.

How does Fundraise Up comply with UK and EU regulations for international data transfers?

We execute a Data Processing Agreement (DPA) that includes the UK International Data Transfer Addendum and EU standard contractual clauses. Under this agreement, your organization acts as the Data Controller and Fundraise Up acts as the Data Processor. The DPA specifies that we can only use your supporter data for the purposes you define and that we must fulfill your obligations regarding data protection.

Does Fundraise Up use subprocessors?

Yes. Fundraise Up uses contractors who act as subprocessors under the GDPR framework. These include cloud infrastructure providers and payment processors necessary to deliver our services.

What due diligence is conducted on subprocessors?

Before engaging any service provider, we perform due diligence, including a vendor security assessment if required. We review vendor compliance reports on a periodic basis and determine whether any aspects need to be discussed or reviewed with the vendor.

How does Fundraise Up handle data protection with subprocessors?

Our subprocessors are required by contract to process personal data only for the purposes of providing services to Fundraise Up and in accordance with applicable data protection laws. We work with our vendors to make sure that all processes and contracts comply with GDPR and other privacy and data transfer regulations.

How long does Fundraise Up retain client data?

While your account is active, our current process is to retain records indefinitely unless required otherwise. If you need a specific retention period, we can agree on a time frame for deletion with a 3-year minimum.

What happens to my data if I decide to close my Fundraise Up account?

When an account is closed, we revoke access to our client-facing teams and if requested we can delete client PII data after the account is closed. We would still retain client transaction-related data points in accordance with applicable laws (these data fields include name, email, donation amounts, payment method, and in certain jurisdictions mailing address). These would be stored in an encrypted format with limited access permissions and would only be accessed if needed for regulatory purposes.