Security and compliance

Fundraise Up protects supporter information through multiple security layers that cover data storage, transmission, and access control.

All data is encrypted both at rest and in transit. We use TLS 1.2+ and 256-bit AES encryption for public network connections, while personal data moves exclusively through private networks. Full disk encryption protects stored data, with encryption keys controlled by engineering personnel and rotated on a scheduled basis.

A valid SSL certificate is required on all client websites that use Fundraise Up. Without HTTPS, the platform cannot process donations through the Checkout Modal.

We retain data long enough to meet legal obligations and operational needs. While your account is active, records stay available to support your use of Fundraise Up and to meet regulatory requirements. If an organization requires a defined retention period, we can set a deletion schedule with a minimum term of 3 years.

When we close your account, we revoke access for our support and account teams. We can delete supporter personal data on request, but we must retain certain transaction records (name, email, donation amounts, payment method, and in some jurisdictions mailing address) for regulatory compliance. This data remains encrypted with restricted access and is only accessed when legally required.

We secure payment processing through industry-standard protocols and fraud prevention systems.

Fundraise Up maintains PCI DSS Level 1 4.0.1 compliance, the highest level of payment security certification. While we facilitate secure transactions, direct payment processing is handled by our PCI-compliant payment processors, Stripe and PayPal.

Organizations that use Fundraise Up need to complete an annual Self-Assessment Questionnaire (SAQ A) to confirm their compliance. This simplified version of the questionnaire applies because your organization never handles or stores cardholder data.

All transactions process directly through Stripe as tokenized payments, which means sensitive payment details are never exposed. Fundraise Up stores only the last four digits of cards along with expiry dates and brand names — information needed for fraud prevention and receipt display.

For transactions that require additional verification, Fundraise Up integrates Stripe's authentication modals directly into the donation checkout flow. When a supporter's card requires Strong Customer Authentication (SCA) or 3D Secure authentication — regulatory requirements in the European Economic Area (EEA) — they complete the verification through an overlay without leaving the donation process.

This provides:

• Enhanced security that prevents fraudulent transactions and protects supporter payment information.
• Reduced chargebacks by requiring additional authentication.
• Compliance with EEA regulations so organizations can accept donations without legal or financial repercussions.

Fundraise Up combines its own anti-fraud technology with Stripe Radar to detect and prevent fraudulent donations. Stripe Radar provides automated fraud detection that you can adjust through your Stripe dashboard. Our fraud prevention system uses:

• Proprietary AI. Our system analyzes device characteristics and activity patterns across millions of transactions to identify and block fraud before it happens.
• Proxy detection. We flag transactions for review when a proxy is used to hide the supporter's actual location.
• Country flagging. We review transactions from countries with high fraud rates.
• Behavior analysis. Machine learning spots suspicious patterns in website traffic and transaction data.
• Honeypot approach. This method manages fraudulent activity discreetly by simulating card issues rather than blocking cards outright.
• Human review. Our fraud prevention team manually reviews flagged transactions to determine whether to process or block them.

Additionally, Stripe's hCaptcha mechanism operates in the background to deter automated fraudulent attempts while maintaining a smooth experience for legitimate supporters.

You can review fraud prevention effectiveness in your Insights, which displays prevented fraud incidents. For additional control, review your Stripe Radar Risk settings to adjust fraud detection parameters based on your organization's risk tolerance.

We provide tools to control who can access your organization's data and what they can do with it.

The Dashboard uses Role-Based Access Control (RBAC) based on the principle of "Just Enough Access." Users receive only the permissions needed to perform their job duties. We offer predefined roles including Organization Administrators, Campaign Administrators, and Support Specialists, each with access levels matched to their responsibilities.

User sessions last 30 days after login. After this period, users must sign in again.

Fundraise Up supports multiple authentication methods to protect account access.

Two-factor authentication (2FA)

2FA adds an extra security layer by requiring both a password and a verification code to log in. Users can enable 2FA through SMS or an authenticator app. Organization Administrators can require 2FA for all users.

When 2FA is not enabled and your account doesn't use required single sign-on, passwords must be updated every 90 days to maintain PCI DSS compliance.

Single sign-on (SSO)

SSO simplifies login by allowing users to access Fundraise Up with credentials from your Identity Provider. We support SSO through SAML 2.0, compatible with IdPs including Okta, Auth0, and Microsoft Entra ID.

SSO provides centralized account control and reduces password management burden. Administrators can set SSO to optional (users choose between SSO or password) or required (all users must use SSO).

SSO sessions last 12 hours, after which users must sign in again. When SSO is set to required, two-factor authentication is not needed at login because the IdP handles authentication security.

Fundraise Up holds certifications that demonstrate our commitment to security and compliance across multiple frameworks.

• ISO 27001 confirms our comprehensive approach to managing information security risks across all organizational levels.
• SOC 2 Type II demonstrates that our data management practices meet strict industry standards for security, availability, processing integrity, confidentiality, and privacy.
• PCI DSS Level 1 4.0.1 verifies secure handling of credit card information by our system and partners.
• WCAG 2.2 AA confirms that our web platforms are accessible to all users, including those with disabilities.

• GDPR (European Union and European Economic Area) guarantees compliance with data protection and privacy regulations.
• UK GDPR (United Kingdom) meets data protection standards for UK individuals.
• CCPA (California, US) complies with California Consumer Privacy Act requirements.
• PIPEDA (Canada) follows Personal Information Protection and Electronic Documents Act standards.
• CRA (Canada) aligns with Canada Revenue Agency requirements.

GDPR compliance

For organizations that accept donations from supporters in the EU, EEA, or UK, Fundraise Up provides tools and documentation to support GDPR compliance:

• Data Processing Addendum (DPA) with Standard Contractual Clauses and UK International Data Transfer Addendum.
• Built-in consent management for marketing communications and cookie preferences.
• Support for data subject rights including access, erasure, rectification, and objection.
• Data Protection Impact Assessment documentation.
• Annual GDPR audits conducted by Thoropass.

We operate as the Data Processor while your organization acts as the Data Controller, determining the purposes and means of processing personal data. Fundraise Up processes data only according to your instructions and provides the tools you need to meet your compliance obligations.

Fundraise Up uses only first-party cookies to support platform functionality, fraud detection, and analytics. We never use third-party cookies.

Campaign Pages include a built-in cookie banner that automatically displays to visitors in regions with strict privacy laws (EU, EEA, UK, Quebec). No setup is required. The banner lets supporters reject, accept, or manage individual cookie categories.

For the Checkout Modal on your website, you must add Fundraise Up's cookie information to your existing cookie banner if you accept donations from regions that require consent. We support integration with cookie management services and Google Tag Manager Consent API.

We maintain security through continuous monitoring, regular assessments, and trained personnel.

We conduct annual penetration tests and regular security assessments to identify and address vulnerabilities. Our incident response plan is reviewed and updated regularly to adapt to new security challenges.

You can monitor platform status in real-time through our Status page, which provides updates on operational status and any ongoing issues.

All team members complete regular security training to stay current on security practices. We conduct thorough background checks on all employees, especially those who handle sensitive data.

Role-specific training programs match the needs and access privileges of different positions, so every team member can handle their responsibilities securely.

Access to your data is limited to client-facing teams who understand data sensitivities and our responsibilities under Privacy Policy and Data Protection and Handling policy requirements. These policies are mandated and monitored under SOC 2 protocols.