Your organization’s data security is mission-critical, and we take our commitment to protecting it extremely seriously. It’s just one more reason so many leading social good organizations trust us as their partner.
Our Information Security team leverages the industry standard CIA Triad Model (Confidentiality, Integrity, Availability) in conjunction with various industry control frameworks, such as the NIST CSF, PCI DSS, ISO27001, SOC 1, SOC 1 type 2, and others to protect our solutions.
View more information on our Cyber Security Program in the below white papers and tip sheet.
- White Paper: Blackbaud Cyber Security Overview
- White Paper: Blackbaud Business Continuity Management
- White Paper: Blackbaud Cyber Security Incident Management and Response Overview
- White Paper: Blackbaud Cyber Security Program and Policy Framework
- White Paper: Data Trust Statement
- White Paper: Blackbaud and the Public Cloud Whitepaper
- Tip Sheet: Cyber Security
- Data Sheet: Blackbaud Luminate Online® Security Overview
Blackbaud provides audit reports by request to our subscription customers, their auditors, and our prospective customers, including SOC 2 type 2, SOC 1 type 1, and bridge letters for both SOC 1 and 2 reports, where applicable*.
Blackbaud provides PA-DSS and PCI-DSS attestations of compliance to Blackbaud Internet Services and Blackbaud Payment Solutions*.
Blackbaud also leverages the Cloud Security Alliance’s CAIQ-Lite assessment questionnaires to provide transparency regarding the adherence of our products to the CSA Cloud Controls Matrix. These assessments are made available via the Cloud Security Alliance.*
Our world-class security, privacy, and risk-management teams work every day to ensure the safety of your data by adhering to industry standard practices, conducting ongoing risk assessments, aggressively testing the security of our products, and continually assessing our infrastructure.
As such, our promise to you is that your Blackbaud solution is always secure, protected, and reliable through:
- Robust and continuous Cloud Account/Subscription Governance and control monitoring
- Clear security requirements and reporting on data protection, encryption, and monitoring
- Routine vulnerability assessments and DDoS automitigation response
- Active participation in CyberSecurity thought leadership:
- Blackbaud is a member of Cloud Security Alliance (CSA) and assesses our products and environments against the CSA CAIQ (consensus Assessment Initiative Questionnaire).
- Blackbaud Security is a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a thought leadership and information sharing community for collaboration on critical security threats facing the global financial services sector.
- Blackbaud partners with the Information Sharing and Analysis Center for Nongovernmental Organizations (NGO-ISAC) to participate in collaboration regarding US-Based nonprofit/nongovernmental organizations under attack from sophisticated threat actors.
- Partnership with Microsoft and Azure
- Blackbaud engages in an Azure-first model and partners consistently with Microsoft. This provides us access to industry threat intelligence and early previews regarding upcoming Azure feature capabilities and security releases.
- Partnerships with other cloud providers and independent third parties for reviews
Blackbaud also leverages tactical Cyber Security strategies for safeguarding our environments and data by utilizing the NSA’s Defense in Depth techniques and layered security, including:
- Data Protection
- Application Security
- Host Based Security
- Internal Network Security Measures
- Perimeter Security
- Physical Security
- Policies/ Procedures/ Awareness
- Blackbaud’s Cloud Security includes rigorous standards across physical, application, and personnel security
Blackbaud utilizes System Center (SCOM) for internal out of the box monitoring with customized management packs that monitor within the application layer from the inside out to include an early warning detection system that allow us the time to investigate and respond to an issue before it becomes an impactful event.
Blackbaud enforces strict physical datacenter security based on best practices and SSAE18 audit guidelines:
- All building entrances, the datacenter floor, and secure areas require card key access. The datacenter floor and secure areas also require two factor biometric authentication (hand/finger prints and iris scan).
- Active patrol guards are onsite to monitor the interior and exterior of our facilities 24 hours a day, 365 days a year. We also have security cameras covering all entrances, alternate workspaces, and the datacenter floor.
Blackbaud ensures the security of our applications through:
- Constant education and partnership with Blackbaud development community with robust and varied training programs
- Routine vulnerability assessments
- Continually empowering our developers with security tools to leverage early in the security SDLC processes
- Blackbaud uses various strong encryption mechanisms across our environments and products, including TLS 1.2, AES 256, RSA 1024 and other FIPS140-2 encryption algorithms.
- Through Blackbaud ID, we support multi-factor authentication and modern identity providers (IdP) such as Microsoft Azure Active Directory, Okta, and SAML-based providers such as Google G-Suite so you can control your end-user login experience*.
Blackbaud employees are all engaged in on-going Security Awareness and rigorous training campaigns to ensure they are empowered to protect both Blackbaud’s and our customers’ data. All employees are provided continual phishing simulation testing to increase their awareness of cyber security social engineering and phishing techniques.
The Blackbaud Security team additionally partakes in global communities and conference platforms—such as bbcon, WISCYS, and local security conferences—to share information and present on industry best practices to improve the community’s security awareness posture.
The Blackbaud Security team prioritizes routine testing to identify and remediate vulnerabilities and risks by leveraging:
- Dedicated Red Team
- Routine Penetration Testing
- Routine Code and Vulnerability Scanning
- Cloud Audits & Assessments
- Phishing Simulations
Driving social good on a global scale—spanning the public, private, and social sectors—requires a detailed understanding of privacy standards. Blackbaud has dedicated legal counsel who continually evaluate upcoming and changing regulations as they relate to data privacy to ensure we are aligned to these regulations, as well as providing thought leadership for our customers on the operational impact of these regulations and compliance requirements.
Blackbaud is committed to providing products and services that enable customers to comply with the privacy laws applicable to them. We tirelessly track and interpret pending legislation to ensure that Blackbaud provides the features you need to protect the privacy of your constituents while managing data in a compliant way. As privacy legislation evolves, our products do too. Further, we will continue to work on ways to improve the user experience in the products, specifically as regards the capture, recording, and use of your supporters’ consent. We ensure that (when applicable) our products and internal processes comply with and enable customers to comply with:
- General Data Protection Regulation (GDPR): A European Union regulation that establishes commercial standards for data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA)
- Health Insurance Portability and Accountability Act (HIPAA): A U.S. law that provides data privacy and security provisions for safeguarding Protected Health Information (PHI).
- Blackbaud regularly performs assessments for our compliance with industry-standard data protection protocols such as HIPAA.
- All Blackbaud products available to customers in the healthcare sector are assessed for compliance with HIPAA compliance annually. Additionally, these products are also reviewed to ensure customers can achieve and maintain their own HIPAA compliance obligations when performing fundraising and data management activities using Blackbaud solutions.
- California Consumer Privacy Act (CCPA): a U.S. bill that enhances privacy rights and consumer protection for residents of California.
- As of the effective date of the California Consumer Privacy Act (CCPA), Blackbaud will be fully compliant with this law.
- Similar to the guidance provided on GDPR, prior to the effective date of the CCPA, Blackbaud will issue guidance on how our various solutions can be used for our customers to help them comply with these regulations
We understand regulatory requirements and constituent expectations around data privacy are a key priority for our customers as well. For more information about safeguarding your constituent data, reference the Blackbaud Institute’s Privacy Toolkit.
Blackbaud designs mission-critical cloud solutions exclusively for social good organizations.
Our commitment to reliability is backed by our industry-leading service level agreement of 99.9% availability—or you will be eligible for credits to your subscription.
Our cloud solutions are modern and innovative and allow your teams to be productive on any device at any time by leveraging Blackbaud SKY UX for natively mobile experiences.
We amplify continuity of service through extensive disaster recovery policies, regular offsite backups (performed nightly, weekly, or monthly), and redundant architecture.
*compliance certifications and assessments may vary by product
Blackbaud maintains protocols and standards to help protect Customer Data, meaning the data consisting of Customers’ confidential information, including constituent data, contained in Blackbaud solutions. Customer Data doesn’t include aggregated or anonymized data or data about a customer, like current or prospective customer contact information held in our internal customer management system. Blackbaud will only collect, process, and store Customer Data that is necessary to fulfill contractual obligations with customers. Blackbaud retains Customer Data throughout the full term of the contract for such solution.
Upon cancellation of a solution, Blackbaud maintains a standard process to remove Customer Data in accordance with industry standards. Typically, after a customer leaves Blackbaud entirely or cancels a particular solution, Customer Data with respect to that solution/s is decommissioned/removed from applicable infrastructure, and then associated backups of that Customer Data are retained (offsite) for 90 days before being automatically purged. In some instances, Customer Data will be maintained to comply with legal and regulatory obligations. Blackbaud may also keep Customer Data to assist with fraud monitoring, detection, and prevention activities and to comply with tax, accounting, and financial reporting obligations.
Additionally, Blackbaud is required to retain certain Customer Data through contractual commitments to financial partners, and where data retention is mandated by the payment method(s) utilized by the customer. In all cases where Customer Data is retained, it is done in accordance with any limitation periods and records retention obligations that are imposed by applicable law.
Questions? Contact us.
To obtain a summary of the most recent third-party audit reports for our solutions:
- If you’ve purchased a Blackbaud solution, open a support case.
- If you are a prospective customer, contact your sales representative.