Skip to content

Security, Compliance, and Data Handling

Evergiving takes security and data privacy seriously. Thousands of charities trust us to handle their sensitive supporter data across cities worldwide. Our approach to data protection is comprehensive, ensuring compliance with the highest security standards.

"Nothing is more important to Evergiving than ensuring the security of our customers' information and the protection of new supporters' personal data."
— James Goodridge, CEO and Data Protection Officer, Evergiving

PCI DSS Level 1 Compliance

Evergiving is certified at PCI DSS Level 1 across the entire business, demonstrating a rigorous commitment to data security:

  • Comprehensive Security Framework: Our security practices cover all organizational and technical controls required by PCI DSS, audited annually by independent auditors. This goes beyond standard PCI compliance, such as that achieved by retail stores.
  • Continuous Testing: Evergiving undergoes annual penetration testing and quarterly vulnerability scans by external accredited organizations.
  • Highest Level of Security: Level 1 certification is required for payment gateways, financial institutions, and merchants processing more than 6 million transactions per year. This certification allows us to securely store credit card data, providing strong data protection across our services.

Evergiving’s servers are located in Ireland, and all customer and supporter personal data is stored and processed in the EU region.

Privacy and Data Protection

Evergiving continuously monitors and adapts to data protection regulations in all countries where we operate, ensuring full compliance. Our platform adheres to GDPR requirements, and we employ the necessary technical and organizational measures to safeguard personal data.

Evergiving is fully GDPR compliant. Learn more about GDPR regulations here.

Data Handling and Storage

Evergiving processes personal data, including both supporter and fundraiser information, as per the instructions of Fundraising Agencies and Charities, which act as Data Controllers. Here’s how we handle different types of personal data:

  • Supporter Personal Data: We process data to facilitate donations (direct debit, credit card, SMS) and manage communication preferences. Supporter data is only processed to the extent necessary for setting up and maintaining donations.
  • Fundraiser Personal Data: Evergiving processes data related to fundraisers, including working hours and performance metrics. This data is provided by Data Controllers and helps generate reports on fundraisers’ activities, including anonymized supporter data for performance reviews.

Special Categories of Data

Evergiving does not store or process personal data revealing racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, health data, or information concerning a person's sex life or sexual orientation.

Secure Collection, Processing, and Destruction of Data

Supporter Consent: Supporters must explicitly consent to marketing communications, and consent must be collected separately for each purpose. Evergiving provides two consent display formats:

  • In-line consent: Placed directly under each contact method.
  • Block consent: Collected below a block of contact methods.

Consent can be collected using one of two options:

  • Yes/No radio buttons: Neither option is pre-selected, with mandatory input.
  • Yes checkbox: Not pre-checked, with optional input.

Transactional Communications: Consent is not required for transactional communications, such as one-on-one emails, SMS, or phone calls that are functional and triggered by transactions.

Data Retention and Anonymization: Personal data is retained only as long as necessary. Evergiving provides a feature to anonymize personal data in compliance with ISO/IEC 27001 standards, which overwrites personal data with randomized strings, preserving performance statistics unrelated to personal data. Data Controllers can configure retention schedules according to their campaign needs.

Data Subject Rights

Evergiving fully supports and complies with the rights of Data Subjects, including:

  • Right to Access
  • Right to Rectification
  • Right to Erasure
  • Right to Restrict Processing
  • Right to Data Portability
  • Right to Object to Profiling and Automated Decision-Making

If a supporter or fundraiser submits a data request to Evergiving, we will refer it to the Data Controller and process it according to their instructions.

Data Protection Outside the EU

Evergiving also complies with local data protection legislation in regions outside the EU, such as:

  • The Australian Privacy Act 1988.
  • The New Zealand Privacy Act 1993.
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
  • South Korea’s Personal Information Protection Act (PIPA).

Who is responsible for Data Protection at Evergiving?

Our Data Protection Officer is James Goodridge, CEO of Evergiving.
You can contact him at james@evergiving.com or call +44 740 885 4777.