The Most Secure Choice You Can Make

At Benevity, compliance, risk management and security are a state of mind — not just a checklist.


A Leader in Our Industry

As a global company with global clients, Benevity provides products and services that are regulated around the world. We have always made significant investments in our security and compliance practices, providing you with the assurance that your data is safeguarded and that you’re partnering with the leader in our industry.

Since we’ve been at this for more than a decade, and our clients include some of the world’s most iconic companies, with large, sophisticated privacy and security protocols of their own, we have undergone a tremendous amount of due diligence, which has produced a maturity and openness that will bring you peace of mind.

Privacy and GDPR

In May 2018, European regulators implemented the General Data Protection Regulation (GDPR). This far-reaching legislation was designed to protect the privacy rights of individuals in the EU and mandates strict standards for how personal data can be used, collected or transferred, regardless of where their personal information is located and processed. GDPR requires data controllers and data processors to implement appropriate technical and organisational measures to ensure a level of security that is appropriate to the risks presented.

GDPR compliance

In response to these changes in the privacy landscape, Benevity enhanced its existing privacy programme to comply with the new requirements. This programme is based on current regulations, industry best practices from professional associations like the International Association of Privacy Professionals, as well as EU legal guidance and advice on data protection compliance. We have worked with some of the largest employers in the EU, including Privacy Officers, to satisfy GDPR and Works Councils requirements for their programmes.

Benevity’s Privacy Policy

To keep everyone informed, we publish our privacy policy, which has been updated with respect to GDPR and provides information regarding the collection, processing, onward transfer, retention and destruction of personal information. For more information, please contact

Companies with the strictest security practices trust Benevity, including:


Dedicated Team of Security Professionals

Benevity’s dedicated Governance and Controls team oversees our adherence to an ever-changing and expanding compliance landscape. We also have a Security Operations team that spends day and night thinking about zero-days, back doors and distributed denial-of-service attacks. In addition to extensive industry experience, our people are active members in, hold certifications from and, in some cases, have held leadership positions in such organisations as: 

  • (ISC)², which issues the Certified Information Systems Security Professional (CISSP) designation
  • American Institute of Certified Public Accountants and Canadian Institute of Chartered Accountants
  • Institute of Internal Auditors
  • Information Systems Audit & Control Association (ISACA), which issues the Certified Information Systems Auditor (CISA) designation
  • International Association of Privacy Professionals (IAPP), which issues the Certified Information Privacy Professional (CIPP) designation

Industry-Leading Certifications and Standards

We’re dedicated to meeting the highest standards in the regions where we operate. We realise that each certification we earn is not a destination, but an opportunity to continue to learn from — and partner with — the best security companies in the business, as well as from our clients and business partners. If you would like copies of these certifications, please talk to your Benevity contact and they’ll be happy to provide them.


For several years, Benevity has issued an annual SSAE18 SOC 1 Type 2 report. We issue the SOC report to help our clients, and the CPAs who audit them, evaluate our controls and to assist clients designing their own controls around our services. Ask other vendors if they issue their own SOC reports (they likely don’t). Most rely on those of their hosting providers.

Shared Assessments SIG

Through our membership in the Shared Assessments Programme, we pass on the benefits of assessment tools like the Standard Information Gathering (SIG) tool. In addition, our participation in the programme means working alongside industry peers to influence and create assessment tools.


Benevity and all the service providers on our platform are Payment Card Industry Data Security Standard (PCI DSS) certified.


Security Practices

Benevity has developed its operational security practices based on guidance from leading industry standards and frameworks, including: 

  • COBIT issued by the IT Governance Institute
  • ISO 27001 specification for an Information Security Management System (ISMS)
  • SANS Critical Security Controls
  • Cloud Security Alliance’s Cloud Controls Matrix

While these standards and frameworks are valuable, they’re a starting point. Our Security Operations team uses principles like “defense in depth” and “privacy by design” to make Benevity’s environment (including all physical locations, IT infrastructure, applications, databases and third-party providers) as secure as possible.

Physical security

Physical security encompasses all the locations where we operate. That includes business offices, data centers and even our laptops. As part of Benevity’s security programme, the following is true for each of our physical locations:

  • CCTV cameras are in place and footage is stored per our security policies.
  • Electronic locks with assigned key cards/fobs, which are assigned according to a strict access management procedure for granting, revoking and changing access.
  • Various security zones with restricted access based on job role.
  • All access (successful/failed) attempts are logged, with logs stored per our security policies.
  • All visitors are registered and escorted, with registry stored per our security policies.
  • A clean desk/clean whiteboard policy.

The physical security at the data center (where your data is stored and processed) goes above and beyond the above standards. Benevity uses Amazon Web Services (AWS), a leader in the cloud hosting space, and as such, controls include:

  • Data center access is restricted to AWS employees and contractors.
  • Data centers are controlled by professional security personnel.
  • Redundant power and network services.
  • Fire detection and suppression.
  • Climate and temperature are strictly controlled.
  • Media are handled per NIST 800-88 guidelines for sanitization.
Network infrastructure and security

We subscribe to the AWS shared responsibility model, where AWS operates, manages and controls the components from the virtualisation layer down to the physical security of the facilities where the services operate. Our responsibilities are up the stack from the guest operating system and include the network configuration, databases and applications. This framework and model are made clear to all Benevity teams involved, including our:

  • Site Reliability Engineering team
  • Security Operations team
  • Governance and Controls team
  • Product Development team

To fulfill this responsibility, Benevity follows industry best practices and subscribes to AWS’s well-architected framework for the design of all our systems.

Security Operations team

Benevity has a dedicated Security Operations team with many years of combined experience in securing enterprise IT environments and security-incident response. We also periodically engage Managed Security Service Providers from reputable, globally recognised companies. This team has developed a security practice that includes:

  • DDOS protection
  • File integrity monitoring
  • Intrusion prevention system
  • Anti-malware
  • Security information and event management
  • Continuous web application security scanning and business logic assessments conducted by an independent third party
  • Vulnerability management and patching policy
  • Network penetration testing conducted by an independent third party
Change management to ensure authorized changes only

A formal Change Advisory Board enforces Benevity’s controls over changes to production systems, including:

  • Maintenance and controlled access to a production environment and several non-production environments (development, test, staging, etc.)
  • Ensuring every change to Benevity’s system is appropriately authorised
  • Testing changes by dedicated in-house Quality Assurance people before production
  • Thousands of automated tests prior to production
  • Segregation of Duties (SoD), progression of changes through different environments
  • Maintaining a system of segregation of incompatible duties
Logical security

Logical security involves controlling access to IT systems and making sure people have a valid reason to access, read or modify business information. Benevity maintains a system of role-based access controls, as well as the necessary processes to support:

  • Access on a need-to-know and least-privilege basis
  • Documented access requests and approvals
  • Periodic reviews of access to ensure those who have it still need it
  • Authentication controls including strong passwords and multifactor authentication
Security awareness is embedded in our culture

At Benevity, we recognise that security risks go beyond IT systems and include a human element. As such, we use significant resources to maintain a high level of security awareness among our people. This helps them understand the security requirements of our clients and the regulations we are subject to, as well as emerging security threats. Everyone at Benevity goes through formal security awareness training and regular phishing simulation testing. And many informal training opportunities are available to our people, including seminars, hands-on activities and question-and-answer sessions with security personnel.

We were impressed by Benevity’s industry-leading security practices. This security review was the best we’ve seen.

Head of Security at a global Fortune 500 manufacturing company

Compliance and Third-Party Partnerships

Benevity’s code of conduct and business ethics holds us to the highest standards of compliance with the laws and regulations in all the regions in which we operate. 

Our Governance and Controls team works with all our functional areas, from Marketing to Finance, to ensure we’re aware of current and emerging obligations and doing what is required to maintain our commitment to compliance.

What compliance means in our space

Benevity is in the business of corporate purpose and has products and services that fall under the employee engagement, customer engagement and community investment umbrellas. Benevity is also a global company and, as such, our product and service offerings are under the oversight of regulators around the world. 

Third-party partnerships make us stronger

Cloud, APIs, virtualisation, containers, microservices — oh my! In the modern era, it’s unusual to find a business that doesn’t rely on third parties to deliver its products and services to clients, and Benevity is no exception. We work with third parties who are the best at what they do and pass that excellence on to our clients. All our third parties undergo rigorous scrutiny before they’re accepted into the Benevity ecosystem, as well as continuous monitoring to ensure their governance, risk management and controls remain up to Benevity’s standards. We do business only with companies who issue independent assurance of their compliance with industry standards such as SSAE18, ISO 27001, PCI DSS, etc. We use these providers:

  • Amazon Web Services (AWS) for cloud hosting
  • BlueSnap for payment processing
  • CyberSource for payment processing
  • Foundation Partners (AOGF, AUOGF, COGF, IOGF, OGF [India], UKOGF) for secure donation processing
  • PayPal for payment processing

Trust and Safety in the Charitable Landscape

Benevity is privileged to be a platform player in the corporate purpose business. Through our activities in this space, we encounter charities and nonprofits, individual and corporate donors, financial and IT service providers, as well as regulators. 

We also encounter bad actors. Given these factors, we have put in place several trust and safety measures to deliver complete and accurate transaction processing while keeping the bad people at bay.

Leaders in global charity vetting

Before a nonprofit enters the Benevity ecosystem, our dedicated vetting team makes sure they’re in good standing with the authorities in their region. We then continuously monitor all organizations in our nonprofit database against sanction lists, enforcement actions and adverse media.


Benevity’s team has implemented several fraud detection and prevention measures. These include manual and automated procedures to maintain the integrity of the transactions in our system and minimize abuses.

Disaster recovery and business continuity

We all know that bad things sometimes happen to good people, and we spend a fair bit of time thinking about the different kinds of risks that threaten our company and our clients’ good work. Our dedicated Business Continuity Planning committee performs periodic business-impact assessments and oversees Benevity’s Disaster Recovery Plan, and the testing of that plan. Data is replicated across two AWS hosting regions, with each region consisting of multiple “availability zones” (independent data centers) to ensure redundancy and high availability. Our recovery-time objective is four hours.