PII frequently asked questions

What controls does Fundraise Up have in place to ensure the security of sensitive client data including Personally Identifiable Information (PII) of our supporters?

Fundraise Up is SOC2-Type 2 and PCI-DSS Level 1 compliant. Under these frameworks, we specifically utilize data encryption, role-based access controls, and Fundraise Up policy protocols to ensure the safety and security of all client data including all PII of supporters.

How does Fundraise Up use data encryption to secure my data?

Fundraise Up utilizes full disk encryption for all data-at-rest so that all data stored in our systems is only accessible through encryption keys. These encryption keys are tightly controlled by engineering personnel and rotated on a scheduled basis. All data-in-transit for PII is handled by a private network exclusively and can only be meaningfully accessed through the Fundraise Up dashboard. TLS 1.2+ and 256-bit AES encryption keys are used for public network connectivity.

How does Fundraise Up use RBAC to secure my data?

Our dashboard is utilizing Role-Based Access Control (RBAC) protocols based on the principle of “Just Enough Access”, where access is limited to that which is required for the performance of job duties for individual users. For the Fundraise Up admin dashboards, there are also audit logs in place to do access analysis. Fundraise Up users are provided with only enough access to relevant systems, applications, and information to execute their job responsibilities.

Which Personnel within Fundraise Up will have access to my data?

Access to your data would be limited to our client-facing teams who are fully aware of the sensitivities involved and our responsibilities as defined in our ‘Privacy Policy’ and 'Data Protection and Handling' policy which are mandated and monitored as per the SOC2 protocols.

Will Fundraise Up have access to our supporters’ PCI date?

Fundraise Up does not have access to supporters’ PCI data as this is handled exclusively by Stripe. Fundraise Up only stores the last 4 digits along with the expiry date and brand name. Stripe and Fundraise Up are PCI-DSS Level 1 compliant which is the highest industry level of security certification.

Will Fundraise Up have access to my CRM?

Fundraise Up will be 'integrated' with your CRM using an API, and will send all supporter data to your CRM, of which it will retain a copy. Fundraise Up will not have access to your CRM as the integration is a one-way sync and we only create and update records in your CRM.

Specifically what PII data will Fundraise Up process and store on my behalf?

With respect to each donation record, Fundraise Up stores some information that can be categorized as PII for regulatory purposes. This may include (i) basic supporter information (name, email, mailing address, phone, etc) (ii) supporter tech data (geolocation, device details, browser info, etc) (iii) last 4 digits and expiry dates of card/bank details (ii) other miscellaneous data where provided (family member details, tribute information, etc).

Does the PII data processed by Fundraise Up include any sensitive data?

The transfer does not include any special or sensitive categories of data.

Does Fundraise Up require UK / EU supporter data to be exported, stored or processed outside of the UK/EU?

Fundraise Up utilizes cloud computing infrastructure to create an elastic, robust, and dependable platform for our clients. Furthermore, the nature of our services requires us to provide data access to our teams based outside of the EU. In that respect, we execute a Data Processing Agreement (DPA) which includes the UK International Data Transfer Addendum and EU standard contractual clauses documentation. This enables our data transfers to comply with the UK & EU data privacy frameworks and ensures the security of your data.

What contractual arrangements does Fundraise Up put in place to ensure that international data transfers abide by UK & EU regulations?

Fundraise-Up executes a Data Processing Agreement (DPA) which includes relevant documentation under the UK International Data Transfer Addendum and EU standard contractual frameworks. Under these frameworks, your organization is the ‘Data Controller’ for its supporter’s PII data while Fundraise Up will be the ‘Data Processor’ of the PII of your supporters. The DPA outlines checks and balances that ensure the Processor uses the data only for the purposes that are specified by the Controller and that the Processor fulfills the responsibilities and obligations of the Controller with respect to the supporter’s PII.

Do you foresee any significant changes to the UK & EU GDPR regulations that may disrupt international data transfers?

Based on our research and understanding, while some changes are expected to the relevant regulations in the near future, we do not foresee any significant disruptions to the overall UK International Data Transfer Addendum and EU standard contractual clauses frameworks.

Does Fundraise Up subcontract any of its processing of PII data to sub-processors?

The nature of our services is such that we are required to contract storage of data on internet cloud infrastructure and utilize payment processors to process donations. Fundraise Up uses contractors who are Fundraise Up’s ‘Sub-Processors’ under the GDPR framework.

What due diligence is conducted on sub-processors?

Before engaging any service provider, we perform due diligence, including a vendor security assessment if required. We review vendor compliance reports on a periodic basis and determine whether any aspects need to be discussed or reviewed with the vendor.

How is the processing of the supporter’s PII addressed in the contractual terms with your sub-processors in light of the GDPR requirements?

Fundraise Up ensures that our sub-processors are subject to contract terms that ensure that these service providers process personal data only for the purposes of providing services to Fundraise Up and in accordance with our commitments to our business users and applicable data protection laws. We work with our vendors to make sure that all processes and contracts are compliant with GDPR and other privacy & data transfer regulations.

How long does Fundraise Up retain client data?

While your account is active, our current process is to retain records indefinitely unless required otherwise. In certain cases, where our clients require a definite time frame for deletion, we can agree on a specific time limit for the retention of all donation records. At the moment, we have a five year minimum retention period that we can agree on, but this is currently under review.

What happens to my data if I decide to close my Fundraise Up account?

When an account is closed, we revoke access to our client-facing teams and if requested we can delete client PII data after the account is closed out. We would still retain client transaction-related data points in accordance with applicable laws (these data fields include name, email, donation amounts, payment method, and in certain jurisdictions mailing address). These would be stored in an encrypted format with limited access permissions and would only be accessed if needed for regulatory purposes.

As supporter data records are stored within the Fundraise Up platform, how does Data Residency affect the storage of these records?

Fundraise Up utilizes cloud computing infrastructure to create an elastic, robust, and dependable platform for our clients. Fundraise Up operates SOC2 and PCI-DSS Level 1 compliant data servers in the US, EU, and Canada to store supporter data for EU & UK organizations. In that respect, we execute a Data Processing Agreement (DPA) which includes the UK International Data Transfer Addendum and EU standard contractual clauses documentation. This enables our data transfers to comply with the UK & EU data privacy frameworks and ensures the security of your data.