Better Giving Security Policy

Last updated: December 2025

At Better Giving, safeguarding donor and member data is central to our mission. As a nonprofit ourselves, we treat every record with the same care we expect for our own. The trust of the communities we serve depends on it.

Our Commitment

Better Giving operates as a U.S. 501(c)(3) public charity with a Candid Platinum Seal of Transparency. We provide donation processing, savings, and investment services to fellow nonprofits and faith organizations, and we take data protection seriously at every layer of that work.

We never sell, rent, or monetize user or donor data. Information is collected only for legitimate operational purposes—such as completing donations, providing statements, and maintaining member accounts.

Data Security

Hosting & Infrastructure

We run on secure, certified cloud infrastructure: the majority of our application is hosted on Vercel (SOC 2 Type II + ISO 27001) with built-in global redundancy, while our database is hosted on Amazon Web Services (AWS) with SOC 1/2/3, ISO 27001, and FedRAMP Moderate authorisations. All systems include geographic redundancy and strict physical/environmental controls.

Encryption

All data is encrypted in transit (TLS 1.2+) and encrypted at rest (AES-256). No plaintext card or banking data ever passes through or is stored on Better Giving servers.

Access Controls

Staff access follows a least-privilege, role-based model. Multi-factor authentication (MFA) is required for all administrative accounts. Access reviews occur regularly and are logged.

Payment Security

Better Giving never stores or processes raw cardholder data. All donations are handled by Stripe, a PCI DSS Level 1–certified processor. We complete the required PCI Self-Assessment Questionnaire A each year and retain Stripe's Attestation of Compliance on file.

Savings & Investment Custody

Savings balances are held in FDIC-insured accounts (limits apply). Investment assets are custodied with regulated partners and protected by SIPC coverage where applicable.

Backups & Continuity

Database snapshots are taken daily and stored in encrypted form across multiple AWS regions to protect against data loss or regional outages.

Incident Response

Better Giving maintains an incident-response plan that includes rapid containment, root-cause analysis, and timely notification to affected partners in accordance with applicable law.

Privacy & Data Use

• We collect only the minimum data necessary to provide services and meet reporting obligations.
• Donor and member information is used solely for the purpose for which it was provided.
• We do not sell or exchange personal data with third parties.
• Data access is logged, monitored, and reviewed for unusual activity.

For details on how information is collected and used, see our Privacy Policy.

Compliance & Transparency

• PCI DSS 4.0 (SAQ A) — maintained through Stripe integration.
• Annual financial review — published via Form 990.
• Candid Platinum transparency seal — active and publicly viewable.