Data Privacy & Security

Last updated: December 10, 2021

At DonateStock, we recognize the sensitive nature of data entrusted to us. Protecting customer information is a high priority and part of our standard business processes. To this end, DonateStock, Inc. (DonateStock) has established a formal information security program designed to reduce cyber risk and protect sensitive customer information from loss or unauthorized disclosure.

The goal of this Security Statement is to ensure transparency regarding our security practices, and to help reassure you that your data is appropriately protected.

You may report security issues to us at [email protected]

 

Datacenter / Physical

DonateStock utilizes Digital Ocean (“DO”) in order to take advantage of the scalability, reliability, and security of the DO Infrastructure as a cloud service.

All data is stored and processed through DO’s certified-secure facilities:

  • DO hosting facilities are SOC Type 1 & 2 certified and certified to meet ISO standards
  • DO hosting facilities accessible only by biometric scanning
  • 24/ 7 monitoring by security guards
  • 24/ 7 video surveillance

 

Infrastructure

  • The DO cloud infrastructure meets the requirements of globally accepted security standards, including: ISO 27001, SOC 2 Type 2, and the PCI Data Security Standard.
  • Performance and availability metric monitoring tools alert on-call teams for quick detection and triage of application issues.
  • Internet-facing services and operating system packages are assessed for security vulnerabilities.

 

Application

  • DonateStock enforces in-transit encryption for all data on untrusted networks and supports TLS 1.3 for all inbound client communication.
  • A web application firewall is implemented to detect and block unwanted reconnaissance and malicious application-layer attacks.
  • Sensitive data and electronic files are encrypted at rest.
  • DonateStock monitors and responds to application security events.
  • Passwords are stored using a secure hashing algorithm with an industry standard work-factor.
  • Web application security is tested using periodic automated vulnerability scanning.

 

Employee Training & Policies

  • All DonateStock employees are bound by confidentiality agreements and stringent policies regarding data handling.
  • All DonateStock employees receive regular training on security best practices and compliance with privacy regulations.

 

Data Loss Prevention & Breach Preparedness

  • Disaster recovery processes are tested on a quarterly basis using automation for data recovery and application restoration.
  • DonateStock maintains a security breach response plan to respond to data breaches promptly and effectively.

 

Physical & Workstation Security

  • DonateStock workstations enforce full-disk encryption and lock sessions based on an inactivity timeout.
  • All workstations have modern anti-malware software installed.
  • Operating system and software security updates are applied at regular intervals.
  • Web browsing activity is monitored and access to malicious websites is automatically blocked.

 

Data Privacy, Compliance, & Audit

  • DonateStock retains external counsel to advise on data privacy & security regulations, as well as compliance best practices.
  • DonateStock does not sell, rent, or lease personal or business details to any third-party. Data sharing with nonprofits and partners complies with our publicly posted Terms of Use.
  • We also comply with other key data privacy requirements stipulated by the California Consumer Privacy Act (CCPA) and General Data protection Regulation (GDPR). See our publicly posted Privacy Policy for more.