We undergo regular independent verification of our security, privacy and compliance programs — so you have peace of mind.
We partner with industry leaders, integrate the latest safeguards and continuously assess threats — so your data and donations are safe with us.
Privacy is a fundamental right and its requirements vary around the world. We comply with the strictest protocols — so you know (and control) how your information is used.
Vetting & validation
We validate and monitor the legitimacy of each of the over two million nonprofits on our platform — so you can be confident that your funds are going to organizations in good standing.
Benevity leads the way in compliance — it’s a key reason why companies with the strictest security standards choose us. We maintain the most comprehensive set of industry-recognized certifications and attestations to ensure your data remains secure.
SOC 2 and SOC 1 Reports
Benevity undergoes annual independent evaluations on the effectiveness of our internal controls against the globally recognized System and Organization Controls (SOC) requirements, based on the Auditing Standards Board of the American Institute of Chartered Professional Accountants. These SOC reports provide assurance to our clients that our control descriptions are accurate, suitably designed and operating effectively. Benevity currently issues SOC 1 Type II and SOC 2 Type I reports, with our SOC 2 Type II report expected to be made available in December 2022.
CSA STAR Level 1
The Cloud Security Alliance (CSA) is a nonprofit organization dedicated to promoting best practices for security and privacy controls for cloud computing offerings. The CSA’s Security, Trust, Assurance and Risk Registry (CSA STAR) helps organizations assess cloud service providers.
PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is the global payments industry security standard. The Payment Card Industry Security Standards Council, which created the PCI DSS, develops resources for safe payments worldwide. Benevity partners with PayPal and BlueSnap, certified PCI DSS payment providers, to protect cardholder data. Benevity does not collect, store or process any cardholder data. Cardholder data is collected directly by our PCI DSS certified partners who specialize in payment processing services. To ensure we meet our obligations, Benevity completes an annual PCI SAQ-A for payment processing security.
U.K. Financial Supplier Qualification System certified
As part of Benevity’s ongoing commitment to our Financial Services clients, we have successfully attained our Stage 2 Qualification of the Financial Supplier Qualification System (FSQS). This includes responsible business practices through due diligence and is an accreditation tool used by leading financial organizations. This accreditation not only demonstrates our strong compliance with the EU’s General Data Protection Regulation (GDPR) but also requires us to be audited against other areas such as data security, health and safety, anti-corruption, fraud, supply chain and modern slavery, as well as our Environmental, Social and Governance commitments for diversity and inclusion and environmental and sustainability practices. For more information, click here.
Certified B Corporation
B Corp certification verifies Benevity’s commitment to meeting high standards for performance, accountability and transparency on factors from employee benefits and charitable giving to supply chain practices and input materials. Unlike traditional corporations, Certified B Corporations are legally required to consider the impact of their decisions on their employees, suppliers, community, consumers and environment. For more information, click here.
Our security commitment
We ensure that your data is secure across all Benevity products and services.
Our security-by-design approach to product development means we build through the lens of security. We integrate with your identity providers for SSO to make your giving experience simple and seamless.
Security and privacy is embedded into our culture. Our people take regular training to protect themselves, our clients and our business and are made aware of the latest security risks and threats.
Threats to cybersecurity are always evolving. Our security teams work with globally recognized partners to ensure our platform adopts the latest protections and is continuously scanned for threats and vulnerabilities.
Our privacy commitment
We ensure that every user’s privacy rights are respected, wherever they are in the world.
With a global client base, Benevity’s privacy program is designed to meet the world’s strictest regulatory requirements. The EU’s General Data Protection Regulation (GDPR) is considered the world’s leading regulatory framework, setting the standard for all other jurisdictions. Benevity regularly monitors and updates our privacy program to ensure alignment with the changing regulatory landscape, recent EU decisions such as the invalidation of the EU-U.S. Privacy Shield and the U.K.’s exit from the EU.
Recent EU decisions like Schrems II have highlighted the necessity of employing additional safeguards to secure data during cross-border transfers. Benevity uses industry-leading encryption methods to protect data both in transit and at rest.
Benevity’s commitments are detailed below.
Our reliability commitment
To ensure our products are highly available and scalable, we partner with the world leader in cloud infrastructure hosting, AWS.
The call for Goodness can come at any time, and your program should be ready to respond — 99.5% uptime is our promise to you.
Developed using AWS’s Elastic Cloud Computing, our products scale rapidly when demand increases and certain thresholds are hit.
Resiliency, continuity and recovery
When the unexpected happens, we’re ready. We have the people in place and the alternate infrastructure on standby.
Our global vetting commitment
We ensure that every nonprofit on our platform is legitimate and in good standing.
Maintaining the largest database of nonprofits in the world (over two million!) means that we employ highly sophisticated vetting processes so you can give with confidence.
Benevity has dedicated teams monitoring for fraud, with automated detection and prevention measures in place to ensure the integrity of your giving program.
Trust and Security FAQs
What security and privacy measures does Benevity have in place to secure my data?
Benevity has developed our information security program based on the globally recognized ISO/IEC 27001 security standard. Our program covers all areas of information security, including encryption at rest and in transit, network security hardening, logical and physical security, change management and secure development, as well as the continuous vulnerability scanning and regular penetration testing of our applications, network and infrastructure and processes to remediate threats.
How does Benevity comply with GDPR, including the recent Schrems II decision?
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that regulates the use of personal data of EU residents and governs the transfer of data outside of the EU. Benevity hosts our infrastructure and data in AWS data centers in the United States, and our Data Processing Agreement incorporates the EU’s Standard Contractual Clauses model to protect your data. Recent EU decisions like Schrems II have highlighted the necessity of employing additional safeguards to secure data during cross-border transfers, and Benevity uses industry-leading encryption methods to protect data both in transit and at rest.
Who can I contact with security or privacy questions?
Benevity’s dedicated Risk & Compliance team guides our people, clients and stakeholders in understanding and mitigating the risks and challenges we face in a continually evolving security and privacy landscape. Our Security Operations team is constantly monitoring our environments for malicious attacks, protecting and defending our systems and infrastructure and also preparing for the next evolution of threats. Contact us at firstname.lastname@example.org.