Your Security Is Our Priority
Your organisation’s data security is mission-critical, and we take our commitment to protecting it extremely seriously. It’s just one more reason so many leading social good organisations trust us as their partner.
Our world-class security, privacy, and risk-management teams work every day to ensure the safety of your data by adhering to industry standard practices, conducting ongoing risk assessments, aggressively testing the security of our products, and continually assessing our infrastructure.
Compliance & Certifications
We maintain numerous security certifications, and our solutions meet rigorous international security and privacy standards, as validated by external auditors.
PCI-DSS & PCI PA-DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle credit cards from the major card schemes including Visa®, MasterCard®, American Express®, Discover®, and JCB (“Card Schemes”). PCI DSS is mandated by the Card Schemes and administered by the Payment Card Industry Security Standards Council. PCI DSS was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external qualified security assessor (QSA) or by a firm-specific internal security assessor (ISA) who creates a report on compliance (ROC) for organisations handling large volumes of transactions or by self-assessment questionnaire (SAQ) for companies handling smaller volumes.
The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for service providers that develop payment applications. PA-DSS aims to prevent customer hosted payment applications from storing prohibited secure data. PA-DSS also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).
A Service Organisation Control (SOC) 1 audit, intended for CPA firms that audit financial statements, evaluates the effectiveness of internal controls that affect the financial reports of a client using a service provider’s cloud solutions. The Statement on Standards for Attestation Engagements (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) are the standards under which a SOC 1 audit is performed and the basis of a SOC 1 report. The Type II designation ensures that the controls have been in place over a period of time from six months to one year.
A Service Organisation Control (SOC) 2 audit gauges the effectiveness of a service provider’s system or applications, based on the AICPA Trust Service Principles (security, availability, processing integrity, confidentiality, and privacy). The Type II designation ensures that the controls have been in place over a period of time from six months to one year.
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. HIPAA is the group of codes and regulations that define the treatment of protected health information (PHI) when a covered entity (healthcare organisation) provides PHI to a vendor (business associate).
Standard Contractual Clauses for EU, UK and Swiss data
Blackbaud offers Standard Contractual Clauses (“SCCs”) or Model Clauses as a mechanism to provide appropriate safeguards for the protection of personal data for EU, UK, and Swiss data protection purposes.
The EU Court of Justice recently ruled that Privacy Shield is not a valid mechanism for EU data controllers to send personal data to the US. However, the EU’s Standard Contract Clauses (“SCCs”) are one of a few safeguards that a company can use to comply. You can read the ICO’s instructions here.
The Sarbanes-Oxley Act of 2002 (often shortened to SarbOx or SOX) protects shareholders and the general public from accounting errors and fraudulent practices in publicly traded companies, while also improving the accuracy of corporate disclosures.
Questions? Contact us.
To obtain a summary of the most recent third-party audit reports for our solutions:
- If you’ve purchased a Blackbaud solution, open a support case.
- If you are a prospective customer, contact your sales representative.