Virtuous Security Overview

Security and reliability of customer
data is our highest priority

Summary

At Virtuous, security and reliability of customer data is our highest priority. We take security seriously and our team is dedicated to making sure all necessary safeguards are in place to ensure your data is safe and available whenever you need it.

The Virtuous platform runs entirely on Microsoft’s Azure cloud platform. We leverage the latest in Microsoft’s cloud and security best practices. Relying on the Microsoft Cloud for hosting and disaster recovery via the Azure platform means that Virtuous does not host or maintain any hardware or software internally that might affect application uptime, security, etc. Application infrastructure and uptime are completely handled by Microsoft Azure Cloud.

Each Virtuous customer has their own Azure SQL Server instance. This allows us to ensure high-levels of performance based on customer needs and record count while also leveraging the up-time and reliability of Microsoft’s cloud. It also keeps your data in a more protected silo for security purposes. Because all data is fully housed on Azure, Virtuous relies on Microsoft’s SOC compliance, data security processes and uptime.

For more information visit:
https://servicetrust.microsoft.com/Documents/ComplianceReports

Data Backup and Disaster Recovery

All customer data is backed up at the transactional level for up to 48-hours, after that period daily snapshots of the data are available for roll back to any point in time. For our enterprise customers, SQL data is also available for off-site backup on request.

In addition to traditional data backups the Virtuous platform on Azure inherits Microsoft’s cloud disaster recovery plan.

To lean more about Azure’s disaster recovery features, see the link below for a broad overview:
https://docs.microsoft.com/en-us/azure/architecture/resiliency/disaster-recovery-azure-applications 

The Virtuous API, Authentication, and Data Security Layer

Virtuous takes password and user authentication seriously. Because each customer’s data resides in its own Shard, access to data is strictly limited to only users for each nonprofit. Virtuous uses a password hashing algorithm (HMACSHA256) for authentication which offers a one way hashing of passwords. The Virtuous API utilizes the password hashing to provide a time based expiring token. The Virtuous web app and Virtuous API are always encrypted using SSL TLS 1.2. Our databases reside in the Azure cloud and use built-in firewall protection. Each database utilizes at rest TDE, Transparent Data Encryption, encryption using AES256. We also offer 2 factor Authentication using Authy for our customers who need an additional level of data security on the client end.

Data Protection and Penetration Testing

As part of our normal processes, Virtuous maintains appropriate administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of contact data. This process includes: 1) employing Microsoft recommended best practices for security and updating third party components comprising the Virtuous platform, 2) monitoring and evaluating security systems at regular intervals, and 3) monitoring any system access attempts that might represent a threat to your data.

Virtuous utilizes the Azure Threat Detection mechanisms to ensure customer data is safe. The Virtuous team is notified of potential threats in real-time. Threats are evaluated and immediately addressed as they come in.

As part of its security process, Virtuous employs an independent Penetration Test Certified consultant to do external Penetration Testing on the Virtuous platform to validate our internal penetration testing procedures. Pen test results can be made available on request.

HIPAA Compliance

Virtuous completed a comprehensive HIPAA risk assessment of both the Virtuous platform and the support technology used during the data conversion and migration process. This analysis was completed on March 1, 2021 by Troncore Security.

Team Data Access

In order to restrict access to contact data received from Virtuous, only Virtuous employees who need data to carry out Virtuous contractual obligations under the contract are granted access to customer data. Only a small handful of technical team members have access to customer data on Azure. Virtuous support team members access customer data through the Virtuous interface and data access permissions can be fully controlled by each customer.

Data Logging

In addition to server logging provided by Azure, each customer has access to audit logs which track changes contact and gift data. These changes are logged per user with a datetime stamp. Security logs are handled by Virtuous and will not be shared with clients unless they need to know of an issue. This includes last login dates of users, etc.

SQL Database Access

Read-Only Access to SQL databases is given on request to Enterprise customers. Customers only have access to their Shard (independent database). All read-only access to customer data in SQL is restricted by IP (the IP at your office only). By default this access is closed. This expanded enterprise access can be made available for custom report creation using BI tools like Tableau. Enterprise customers can also pull data down nightly from the Read Only SQL DB for backup or local reporting.

PCI and Credit Card Handling

Our Virtuous CRM product delegates all Credit Card and ACH processing to our Virtuous Giving product which is covered by our PCI scanning and auditing process. Currently we utilize WePay as our Payment Gateway which tokenizes and encrypts all customer information on our behalf. Our PCI scope is extremely limited, but we still take security of card data very seriously. Virtuous never stores payment or banking information for any contacts (e.g. credit card data, checking account information).

For our limited PCI scope on web forms we are mandated to complete a PCI SAQ-A and PCI Scanning with oversight from our PCI vendors to ensure card data is never compromised. We also leverage Trusted Site (Mcafee) to complete PCI Quarterly scans.

WePay PCI Certification

Grow generosity with Virtuous.

Virtuous is the responsive fundraising software platform proven to help nonprofit organizations increase generosity by serving all donors personally, no matter their gift size.

“Virtuous truly understands nonprofits and the importance of our mission. And their open access to data and built-in custom reports gave us access to the data we need.”
Todd Shinabarger
Chief Information Officer