Cybersecurity & Data Policy

GiveEasy Offices

GiveEasy is located in a building at 20 Spring Street, Bondi Junction 2022 NSW with a secure office. The offices are monitored at night by a dedicated security company. Within the building are Health and Medical organisations, all with strict security and access protocols.


The offices are accessed by security entrance, lifts with swipe access and an office that is only accessible by swipe 24hrs a day.

Staff and Employees

All staff, employees and contractors are vetted prior to working with GiveEasy or accessing any of our tools or systems. This includes a minimum of two in depth reference checks for any new staff to get a clear understanding of their skills, background and experience going back a minimum of 5 years.

Vendor Risk Management (VRM) Plan

GiveEasy assesses the following before allowing any third party access to its systems and platforms:

  • How much access is required to complete tasks laid out, keeping access to the minimum amount in both physical and virtual.

  • Minimum requirements across data and network controls.

  • Clear process for onboarding and offboarding including removing access at the soonest available time afterwork is complete.

IT/ Cybersecurity Outsourcing

GiveEasy uses the following tools to process donations, by using GiveEasy you also agree and comply with any/all of these protocols:

  • Stripe

  • Paypal

  • AWS

IT/ Cybersecurity Training (Staff and Contractors)

All staff are required to meet with the CTO/CEO to go through appropriate handling of data, this includes but is not limited to:

  • Who has access to data and at what level: Only the CTO and CEO has access to the database

  • Data will only be transferred in and out of the platform through SFTP provided either by GiveEasy or by the client’s preferred solution.

  • Clear protocols around what to do if a client sends data via an unsecure system. This will include deleting data immediately and notifying the client of accepted data transfer systems.

Current Security Technologies

We use Stripe, Paypal and AWS to process donations, each has significant security and privacy systems and protocols. We do not currently have any additional technologies over and above to manage security within GiveEasy.

Recurring Testing and Processes

GiveEasy doesn’t currently run any independent recurring testing however this is currently on our roadmap.

In the meantime the third parties we engage with run rigorous testing processes across their systems.

Independent Cybersecurity Assessments

As part of applying for and successfully achieving PCI DSS certification, independent assessments have been required and completed.

Compliance

GiveEasy is PCI DSS certified.We also work with suppliers with strong security protocols, you can find their protocols here:


Stripe

Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we use the best-in-class security tools and practices to maintain a high level of security at Stripe.

Paypal

Every transaction is monitored and heavily guarded behind our advanced encryption to help prevent fraud and identity theft. And we’re leaders in risk management, constantly updating our systems to help block external threats so you can buy with confidence.

AWS

AWS supports more security standards and compliance certifications than any other offering, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171, helping customers satisfy compliance requirements for virtually every regulatory agency around the globe. Get started with the broadest set of compliance offerings today.

Sharing Data

GiveEasy has a centralised platform with very limited 3rd party providers used solely to host data and process donations. Where we do this we use the most secure nationally/internationally recognised providers available.

We use closed systems and servers where possible, with very limited access internally and externally.

Data that is collected on a client’s specific donation page is owned by that client and accessed by GiveEasy for the following reasons:

  • To process the donation/transaction

  • To support a client with their campaign

  • At a de-identified level to acquire high level analytics for the purposes of improving the products we provide.

GiveEasy’s data retention policy is to not hold onto data that it does not need. Upon generating personalised links, GiveEasy will delete charity data files from computers and servers immediately.

Notifiable Data Breaches Scheme

GiveEasy complies with Notifiable Data Breaches Scheme (NDB).

It is our policy that if we ever suspected any unauthorised access to our platform we would immediately notify all affected individuals as well as the Officer of the Australian Information Commissioner (OAIC)

All staff, employees and contractors at GiveEasy keep up to date with information around data breaches and information from the OAIC.

All staff, employees and contractors are required to watch: https://www.oaic.gov.au/privacy/training-resources/preventing-data-breaches-webinar

Data Breach Incident Response Plan

GiveEasy has been providing services to clients for almost a decade and in that time we have never once had a data breach.

GiveEasy experiences a data breach or one is suspected

Discovered by GiveEasy staff or directly by a client who notifies GiveEasy

What should GiveEasy staff members do?

GiveEasy Staff member notifies direct response team including CTO as direct owner of data risk and breach management, as well as: development team, CEO and Head of Product & Strategy.

Information needing to be included in notification: 

● Date

● Time

● Type of information accessed/affected

● Cause of breach (where known)

● Extent of breach

● Any related context that may help

What should the CTO do?

Determine whether a breach has or may have occurred. Determine severity of risk. Notify OAIC (as necessary). Work with Head of Product & Strategy and CEO to create a communication plan to those affected.

Data Breach Recovery Plan

Contain the breach

● Ensure no information or evidence can be deleted
● Limit access to breach: where possible shut down system, if unable to do so revoke or change computer access and address any weaknesses in the system either physically or virtually.

● Consider these questions: How did it happen? Who has access? What can be done to secure this information?

Assess the risks

Gather as much information as possible: 

● The type of information involved

● Circumstances in which data may have been accessed

● Was there any intent to harm in the breach, how can this harm be removed?

Consider breach notification

● Ensure policies and protocols are followed both internally and to OAIC

● Focus on information to affected users that is relevant to them.

● Use most accessible communication tools to ensure deliverability

● Is there anyone else who needs to know about the data breach?

Review the incident and take preventative actions

● Conduct a full security review of systems to analyse the root cause of the breach

● Create a prevention plan to ensure the issue cannot be repeated

● Regularly review and amend access to all systems to ensure only critical access is granted

Real-time Monitoring

Datadog:

Datadog provides us with real-time user session monitoring which allows us to identify and track suspicious activity. Integrates well with AWS which gives us tighter insight on specified activity.

AWS WAF:

AWS’s web protection service which provides the ability to set rules for specific IP addresses and regions, control flow of certain requests and groups based on certain rules and regions, and bot control

AWS Cloudwatch:

Real-time tracking and logging of system faults and database use. We can track queries made to the database to monitor.

Stripe Radar:

Highest level of fraud detection and real time alerts for suspicious activity.