Skip to content

Security Infrastructure and Incident Management

Evergiving’s platform and infrastructure are designed to maintain the highest levels of data security. Our approach encompasses encryption, access control, physical security, and network segregation, ensuring that personal data is always protected.

Encryption

Evergiving uses a Hardware Security Module (HSM) approach to encryption and key management. All personal data stored in our system is encrypted using symmetric keys, which are known only to the HSMs. These HSMs are tamper-proof and fully redundant, providing an additional layer of security.

  • Data at Rest: Encrypted using symmetric keys, secured within the HSMs.
  • Data in Transmission: Protected using TLS 1.2 or higher, ensuring secure transmission of data across networks.

To further ensure security, GPG/PGP key management is available for securely transferring flat file exports to Data Controllers.

Access Control

Access to data is tightly controlled both for customers and internally within Evergiving:

  • Customer Access Control: Role-based access ensures that only authorized users can access relevant data. For example, fundraisers can only input data and cannot access it once submitted.
  • Internal Access Control: Access to production systems is highly restricted, requiring multi-factor authentication, VPNs, and SSH. Strict off-boarding procedures ensure access is revoked when employees leave the company.

Physical Security

Evergiving’s servers are housed in highly secure, non-disclosed data centers with military-grade perimeter controls. Physical access is controlled through multi-factor authentication at multiple security checkpoints, ensuring that only authorized personnel can access data center floors.

Network Security

Our platform employs network segregation, isolating critical data from public-facing services. Firewalls are used to control access between systems, and system components follow PCI-compliant infrastructure standards.

  • Firewall Controls: By default, all access is denied, and only explicitly allowed protocols are permitted. Firewall rules are regularly reviewed to ensure compliance with security standards.
  • Host-Based Firewalls: Additional restrictions are applied to internal applications, limiting inbound and outbound connections to further mitigate risk.

Disaster Recovery

Evergiving’s infrastructure is distributed across multiple high-availability zones, ensuring resilience. In the event of a system failure, the platform automatically restores databases and recovers failed components. Our disaster recovery systems are tested continuously to ensure they are functioning correctly.

Application Security

Evergiving’s developers have a minimum of 15 years of experience and follow industry-standard secure coding practices (OWASP, CERT). Our development environment includes:

  • File-Integrity Monitoring
  • Rootkit Detection
  • Intrusion Detection Systems

Changes to production systems are subject to strict change control, peer review, and monitoring, ensuring the platform’s integrity.

Training and Awareness

Security awareness is part of Evergiving’s culture. All team members, from the CEO to support staff, are regularly trained and are expected to uphold high-security standards. Security is a weekly, if not daily, discussion to ensure it remains a top priority. We comply with minimum security training standards as required by PCI DSS, but go beyond these to ensure a deep, company-wide focus on security best practices.

Supplier Management

Evergiving evaluates all third-party service providers through formal, documented procedures. Any sub-processors that handle personal data must sign Data Protection Agreements (DPA) to ensure compliance with privacy regulations.

If you need to execute a Data Processing Agreement (DPA) with Evergiving, please email dpa@evergiving.com.

Incident Management

Evergiving has a formal incident response plan that is exercised annually. If a security incident occurs, it is recorded, and a transparent escalation and notification procedure is followed.

Our incident response plan is exercised annually, and any security incident is recorded and escalated following a strict notification procedure.