Your Security Is Our Priority
Your organisation’s data security is mission-critical, and we take our commitment to protecting it extremely seriously. It’s just one more reason so many leading social good organisations trust us as their partner.
Our world-class security, privacy, and risk-management teams work every day to ensure the safety of your data by adhering to industry standard practices, conducting ongoing risk assessments, aggressively testing the security of our products, and continually assessing our infrastructure.
Compliance & Certifications
We maintain numerous security certifications, and our solutions meet rigorous international security and privacy standards, as validated by external auditors.
PCI-DSS & PCI PA-DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle credit cards from the major card schemes including Visa®, MasterCard®, American Express®, Discover®, and JCB (“Card Schemes”). PCI DSS is mandated by the Card Schemes and administered by the Payment Card Industry Security Standards Council. PCI DSS was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external qualified security assessor (QSA) or by a firm-specific internal security assessor (ISA) who creates a report on compliance (ROC) for organisations handling large volumes of transactions or by self-assessment questionnaire (SAQ) for companies handling smaller volumes.
The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for service providers that develop payment applications. PA-DSS aims to prevent customer hosted payment applications from storing prohibited secure data. PA-DSS also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).
A Service Organisation Control (SOC) 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of internal controls that affect the financial reports of a client using a service provider’s cloud solutions. The Statement on Standards for Attestation Engagements (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which a SOC 1 audit is performed and the basis of a SOC 1 report. The Type II designation ensures that the controls have been in place over a period of time from six months to one year.
A Service Organisation Control (SOC) 2 audit gauges the effectiveness of a service provider’s system or applications, based on the AICPA Trust Service Principles (security, availability, processing integrity, confidentiality, and privacy). The Type II designation ensures that the controls have been in place over a period of time from six months to one year.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. HIPAA is the group of codes and regulations that define the treatment of protected health information (PHI) when a covered entity (healthcare organisation) provides PHI to a vendor (business associate).
Standard Contractual Clauses for EU, UK and Swiss data
Blackbaud offers Standard Contractual Clauses (“SCCs”) or Model Clauses as a mechanism to provide appropriate safeguards for the protection of personal data for EU, UK, and Swiss data protection purposes.
The EU Court of Justice recently ruled that Privacy Shield is not a valid mechanism for EU data controllers to send personal data to the US. However, the EU’s Standard Contract Clauses (“SCCs”) are one of a few safeguards that a company can use to comply. You can read the ICO’s instructions here.
The Sarbanes-Oxley Act of 2002 (often shortened to SarbOx or SOX) protects shareholders and the general public from accounting errors and fraudulent practices in publicly traded companies, while also improving the accuracy of corporate disclosures.
Blackbaud maintains protocols and standards to help protect Customer Data, meaning the data consisting of Customers’ confidential information, including constituent data, contained in Blackbaud solutions. Customer Data doesn’t include aggregated or anonymized data or data about a customer, like current or prospective customer contact information held in our internal customer management system. Blackbaud will only collect, process, and store Customer Data that is necessary to fulfill contractual obligations with customers. Blackbaud retains Customer Data throughout the full term of the contract for such solution.
Upon cancellation of a solution, Blackbaud maintains a standard process to remove Customer Data in accordance with industry standards. Typically, after a customer leaves Blackbaud entirely or cancels a particular solution, Customer Data with respect to that solution/s is decommissioned/removed from applicable infrastructure, and then associated backups of that Customer Data are retained (offsite) for 90 days before being automatically purged. In some instances, Customer Data will be maintained to comply with legal and regulatory obligations. Blackbaud may also keep Customer Data to assist with fraud monitoring, detection, and prevention activities and to comply with tax, accounting, and financial reporting obligations.
Additionally, Blackbaud is required to retain certain Customer Data through contractual commitments to financial partners, and where data retention is mandated by the payment method(s) utilized by the customer. In all cases where Customer Data is retained, it is done in accordance with any limitation periods and records retention obligations that are imposed by applicable law.
Questions? Contact us.
To obtain a summary of the most recent third-party audit reports for our solutions:
- If you’ve purchased a Blackbaud solution, open a support case.
- If you are a prospective customer, contact your sales representative.