Security at GoGive
We are committed to providing a secure platform for charities and donors (“Users”). Our round-up donation plugin allows donors to make donations to charities by rounding up their credit or debit card purchases. We are committed to being transparent about our security measures so that you can benefit from our services with peace of mind.
This document provides an overview of how GoGive and its third parties securely store and access users' personal information.
The services provided by GoGive rely on three components:
- GoGive’s infrastructure and proprietary software
- Basiq.io: offering the bank link capabilities allowing donors to share their transaction information
- Stripe: the payment processor, allowing donors to donate and charities to pay the platform fees
To consider the security of GoGive’s fundraising services, one must consider the security of each of its components.
Is GoGive safe?
What data?
According to our Privacy Policy, GoGive collects personal information about Users, including name, email, address and phone. This information is not classified as critical or sensitive data.
In addition, information about the donor’s donation plan is stored in our datastore and contains information about donation preferences and round-up balances.
Each round-up transaction is also linked to that plan and contains information such as:
- Amount of transaction
- Date
- Round-up amount
No payment information or bank login details are stored or accessible by GoGive’s infrastructure.
We consciously decided not to store sensitive information in our data store.
What is not stored cannot be stolen.
How is it stored?
Even though no sensitive information is stored in our data centres, our database is fully encrypted using AES-256 bits encryption. The encryption key is stored on a separate and restricted instance using Amazon Key Management Service (KMS). In other words, intruders could only see incoherent and useless data in case of a security breach.
We also use a strict firewall policy to restrict access to our infrastructure from an external network. Our database is not connected to the public internet and is only accessible through specific and secure gateways.
What data can GoGive access?
GoGive does not store sensitive information but can access certain information held or collected by our service providers (Stripe and Basiq). Secure communication with the service providers is ensured by using encrypted keys that grant GoGive access to specific data. These keys are stored in a secure, isolated instance with Amazon KMS and encrypted using AES-256 bits encryption. These keys are also rotated regularly as an extra safety measure.
With Basiq.io, GoGive is granted read-only access to the user’s accounts and transaction information. Basiq merely provides a reporting service of the user’s financials but cannot act on the user’s behalf.
During the donor subscription process, the user's web browser communicates directly with Basiq over TLS 1.2 protocols, guaranteeing the encryption of data during transit and its inability to be intercepted. No sensitive information ever goes through GoGive’s infrastructure.
Similarly, with Stripe, GoGive cannot ever access card payment details. During the payment method registration, the browser security transmits the encrypted and tokenised card details directly to Stripe.
All administrative access to the GoGive infrastructure is protected with two-factor authentication and strong password controls.
Is basiq.io safe?
In a nutshell, Basiq is as safe as one of the top banks.
The main security features of Basiq are:
- All data accessed by Basiq is read-only. Basiq can report on your accounts and transactions but cannot take action on the user’s behalf.
- Data is stored in Australian data centres using AES-256 envelope encryption. Each data element in the Basiq database is encrypted with its dedicated encryption key.
- Basiq infrastructure is hosted and managed in ISO 27001, SOC 1 & SOC 2, PCI Level 1, FISMA Moderate and SOX-certified data centres.
- Basiq uses firewalls between internal and external systems to granularly restrict access to resources.
Resources are encrypted twofold when stored in Basiq’s data centre:
- The entirety of the data store is encrypted using the AES-256 bits envelope encryption technique, guaranteeing that each item is encrypted with a unique encryption key. No datastore item shares the same encryption key. The keys are stored with Amazon KMS on isolated instances.
- Additionally, sensitive data such as your online banking details are encrypted with three levels of encryption:
- The hashed value is then encrypted again using the BCrypt algorithm with a cost of 10. This means that ten times in a row, recursively, the value is encrypted with itself as an encryption key. This means the value is impossible to decrypt using brute force as it would take a couple of billions of years.
- The result is then encrypted using the AES-256 algorithm with a secret key stored in an isolated and secure environment.
With this level of encryption, even in case of an access breach into Basiq infrastructure, the sensitive data is statistically impossible to decrypt.
Is Stripe safe?
Stripe is a company that provides payment processing services and takes security very seriously. They have achieved the highest level of certification available in the payments industry, which means they use top-of-the-line security tools and practices to maintain a high level of security.
Stripe also uses HTTPS to ensure secure connections for their website and dashboard, and their libraries connect to their servers securely. Stripe regularly audits their security practices and uses HSTS to ensure that browsers only interact with its website securely.
In addition, all credit card numbers are encrypted with a robust encryption method called AES-256 and stored on separate machines. No one at Stripe can see plain text card numbers, but they can request that the numbers are sent to a service provider on a strict allowlist. Stripe's system for storing, decrypting, and transmitting card numbers runs in a different hosting environment and doesn't share credentials with their primary services, such as their API and website.
Security is our top priority
At GoGive, we prioritise the security of our users' information above all else. We employ the highest standard security practices and regularly review and update our security measures to ensure our infrastructure is impenetrable. Our third-party service providers, such as Basiq and Stripe, have been thoroughly assessed and selected based on their strong security practices, ensuring that all sensitive data is encrypted and their infrastructure is secure. They both use bank-grade security measures. You can rest assured that your personal information is well-protected when using GoGive's services.
If you have any questions related to security, please reach out to admin@gogive.com.au. Our security expert will gladly answer any questions you may have.