Here’s some general information below to give you confidence in how we secure the data entrusted to us.
How we protect your personal data
Kindful takes precautions to safeguard your data against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration, and destruction. Kindful is PCI SAQ-A compliant.
Protecting your privacy
We hold your account information, lists, and data in strict confidence. We do not now, nor will we ever, rent or sell your data to any third party. The only time Kindful shares any information related to your Kindful account with an outside organization is if:
- Kindful is highlighting examples of your templates, campaigns or case studies and have obtained your permission prior to the divulging of such information, or
- Kindful is reporting on or using our overall customer base and activity, in which case we divulge general, aggregate (non-personally identifiable) information.
- You, the client, connects a partner integration and agrees to provide data access to the partner (e.g., Mailchimp),
- the outside organization is the federal government or another agency empowered to require us to divulge your personal or account information.
EU Charities and Residents
With the new privacy and personal data protections introduced with the GDPR, we’ve implemented processes to help you with the GDPR.
Protection from Data Loss, Corruption
- We mirror account data and continually back up data off-site.
- Server Redundancy: We employ redundancy in our architecture to maintain maximum uptime. If the need ever arises, we have the ability to failover our systems to a second data center with minimal downtime
- Kindful has established crisis plans to recover from various disaster scenarios.
- Data backups: We use continuous point-in-time archiving to a second data center and regularly test those backups.
- Kindful collaborates with integration partners to ensure data security between applications. Kindful leverages a third-party security and penetration testing to ensure Kindful meets a high standard for application security.
- We hash and salt all Kindful account passwords. Not even our staff can view them. If you lose your password, it can't be retrieved—it must be reset.
- The entire Kindful application is encrypted with TLS.
- Kindful enforces HTTPS / TLS connections for all web resources, including the admin portal and donation pages.
- Cloud hosted services are firewalled and web traffic is routed through https load balancers, which protect against regional network outages and denial of service attacks.
- All changes to the software are peer-reviewed, and Kindful employs various Quality Assurance practices including functional, regression, and automated testing.
- We monitor usage of our online donation pages and employ a CAPTCHA feature when usage patterns appear fraudulent.
- We employ various methods to ensure your Kindful user accounts are secure:
- Account lockout policy - after multiple failed attempts
- Password policy
- Session time-outs
- Kindful’s integrated payment processors are PCI compliant. Click here to learn more about Bloomerang Payment Processing & PCI Compliance.
Internal IT Security
- Kindful offices use keycard access for security.
- All employee computers have encrypted hard drives and adhere to a long-and-strong password policy.
- Our internal security team monitors our environment for vulnerabilities.
Internal Protocol and Education
- We regularly train employees on best security practices, including how to identify phishing scams and hackers.
- Kindful implements two-factor security authentication to secure services used internally.
- When a customer contacts us, we do not share account information with them unless we confirm they are an admin user of the system, or employed by the client organization with permissions equal to the level of their request.
- Employees that have access to customer data (such as tech support and our engineers) undergo additional security training outlining their responsibility in protecting customer data.
Account Protection & User Security
When creating your Kindful account, you create a username and a password that controls access to your account and all of the data stored within that account. Kindful stores a hashed version of your password for added security, but you understand and acknowledge that you are ultimately responsible for maintaining control of that username and password and for not sharing it with anyone else.
Controlling user access to your Kindful account is critical to maintaining security. As the Administrator of your Kindful account, you control who has access. Not sharing login credentials is essential so that you can control who has access to your Kindful account at all times.
- We monitor and automatically suspend accounts for signs of irregular or suspicious login activity.
- We monitor account and transaction activity for signs of abuse.
- We provide the ability to establish tiered-levels of access within accounts.
- We strongly discourage the sharing of user accounts; since there is no charge for additional user accounts, there is no reason not to create a unique account for every person who uses Kindful.
Kindful uses Google Cloud Computing Services, so that SOC-1 report can be found here:
Kindful does not have an SOC-2 report available at this time.