We understand that small nonprofits rely on our application to hold their organization’s financial data – and we take this responsibility seriously. We have earned the trust of our customers by providing a responsive and reliable application, and here we describe our commitment to keeping our application robust and secure.
We serve our website exclusively via HTTPS, using SSL certificates from a leading, reputable authority. Our application uses encrypted sessions to maintain a reliable and secure connection to our servers, and user credentials are stored as salted hashes – so passwords are effectively impossible to extract that in the unlikely event of a data breach.
Our systems run the latest LTS (long-term support) version of Ubuntu Linux provided by one of the worlds most trusted (and fastest) cloud VPS providers, Linode. All server applications are updated automatically (daily) with any security-level updates and all other software patches are applied on a monthly schedule. Our servers have been ‘hardened’ according to current AppSec standards, including comprehensive firewall blocking, dynamic ssh denial, request logging, and regular automated security auditing.
All customer data is stored in state-of-the-art Postgresql database(s) configured with narrow access rules that silo each account’s data separately. Data access is granted in a tiered hierarchy, limiting data exposure even within our application. Automated backup snapshots are performed daily and stored externally.
Transactional emails are used to validate new accounts and provide users with password reset tokens, and is configured to provide one-way (outgoing) email service only. All NPT emails are sent through a secure, established third-party email provider (SendGrid) with sophisticated traffic monitoring to provide traffic our users with a trusted email source that is highly unlikely to be hacked.
All payment processing is done through Braintree (a Paypal company), which has been certified to PCI Service Provider Level 1 (the most stringent level of PCI DSS certification available). Payments are made via a three-legged tokenization architecture, where payment data is transmitted to Braintree directly from the user’s computer (or phone) and confirmed by passing an encrypted token back to our servers - ensuring that credit card information is never passed to nor stored our NPT servers.
All disruptions to Nonprofit Treasurer’s normal performance, including security incidents, are published promptly on our Twitter feed, @nptresurer and may be viewed by anyone at https://twitter.com/nptreasurer . If you need to report a problem or any security concern, you may DM our team via Twitter at that account also.