Funraise is a PCI Compliant Service Provider and tokenizes all credit card information in a PCI Level 1 certified tokenization vault. Funraise is partnered with Sikich as our QSA and independent security assessor.
Funraise is deployed to Heroku.com, a Salesforce.com company. Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilizes the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:
Additionally, all Funraise data is managed in a premium Postgres cluster with hot standby which benefits from geo-redundancy, point-in-time recovery, priority service restoration on disruptions, and automatic encryption-at-rest of all data written to disk.
Funraise employs modern ciphers and hashing algorithms for data encryption and password hashing. Communications to and from Funraise servers are encrypted by TLS 1.2+.
For DDoS Mitigation, Funraise is protected by AWS Shield, a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage Funraise Support to benefit from DDoS protection.
AWS Shield defends against most common, frequently-occurring network and transport layer DDoS attacks and provides comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
Additionally, Funraise employs a Content Delivery Network and Web Application Firewall for its front-end services to help mitigate higher protocol attacks.
Funraise coding guidelines are integrated with OWASP best practices. These practices are enforced through static code analysis and peer review of every change made to the Funraise codebase. Funraise also employs a dedicated QA team as well as independent security specialists that test our software for bugs and potential vulnerabilities.
Funraise employs several internal and external protocols to mitigate the risk of online payment fraud. It should be noted that payment fraud is unrelated to the security of your data, but is within the realm of bad actors on the internet. You can learn more about payment fraud here. We utilize and enable the following interventions to mitigate fraud:
Funraise maintains internal security policies and guidelines and conducts annual security training with all employees. Employees are required to use multi-factor authentication for all critical systems and employ our enterprise password manager for generation and storage of secure passwords. All employees are trained to use GPG encryption tools for sensitive data. Funraise performs its own internal penetration tests in addition to PCI-mandated annual penetration audits.