Security

Your Security Is Our Priority

Your organization’s data security is mission-critical, and we take our commitment to protecting it extremely seriously. It’s just one more reason so many leading social good organizations trust us as their partner.

Our world-class security, privacy, and risk-management teams work every day to ensure the safety of your data by adhering to industry standard practices, conducting ongoing risk assessments, aggressively testing the security of our products, and continually assessing our infrastructure.

Compliance & Certifications

We maintain numerous security certifications, and our solutions meet rigorous international security and privacy standards, as validated by external auditors.

PCI-DSS & PCI PA-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle credit cards from the major card schemes including Visa®, MasterCard®, American Express®, Discover®, and JCB (“Card Schemes”). PCI DSS is mandated by the Card Schemes and administered by the Payment Card Industry Security Standards Council. PCI DSS was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external qualified security assessor (QSA) or by a firm-specific internal security assessor (ISA) who creates a report on compliance (ROC) for organizations handling large volumes of transactions or by self-assessment questionnaire (SAQ) for companies handling smaller volumes.

The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for service providers that develop payment applications. PA-DSS aims to prevent customer hosted payment applications from storing prohibited secure data. PA-DSS also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

SOC1

A Service Organization Control (SOC) 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of internal controls that affect the financial reports of a client using a service provider’s cloud solutions. The Statement on Standards for Attestation Engagements (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which a SOC 1 audit is performed and the basis of a SOC 1 report. The Type II designation ensures that the controls have been in place over a period of time from six months to one year.

SOC2

A Service Organization Control (SOC) 2 audit gauges the effectiveness of a service provider’s system or applications, based on the AICPA Trust Service Principles (security, availability, processing integrity, confidentiality, and privacy). The Type II designation ensures that the controls have been in place over a period of time from six months to one year.

HIPAA

HIPAA is an acronym for Health Insurance Portability and Accountability Act. HIPAA is the group of codes and regulations that define the treatment of protected health information (PHI) when a covered entity (healthcare organization) provides PHI to a vendor (business associate).

Standard Contractual Clauses for EU, UK and Swiss data

Blackbaud offers Standard Contractual Clauses (“SCCs”) or Model Clauses as a mechanism to provide appropriate safeguards for the protection of personal data for EU, UK, and Swiss data protection purposes.

The EU Court of Justice recently ruled that Privacy Shield is not a valid mechanism for EU data controllers to send personal data to the US. However, the EU’s Standard Contract Clauses (“SCCs”) are one of a few safeguards that a company can use to comply. You can read the ICO’s instructions here.