Your organization’s data security is mission-critical, and we take our commitment to protecting it extremely seriously. It’s just one more reason so many leading social good organizations trust us as their partner.
- Our Information Security team leverages the industry standard CIA Triad Model (Confidentiality, Integrity, Availability) in conjunction with various industry control frameworks, such as the NIST CSF, PCI DSS, SOC 1, SOC 1 type 2, and others to protect our solutions.
View more information on our Cyber Security Program in the below white papers and tip sheet.
- White Paper: Blackbaud Cyber Security Overview
- White Paper: Blackbaud Business Continuity Management
- White Paper: Blackbaud Incident Management And Response Overview
- White Paper: Blackbaud Cyber Security Program and Policy Framework
- White Paper: Blackbaud Data Trust Statement
- White Paper: Blackbaud and the Public Cloud Whitepaper
- Data Sheet: Blackbaud Luminate Online® Security Overview
Transparency
Blackbaud provides audit reports by request to our subscription customers, their auditors, and our prospective customers, including SOC 2 type 2, SOC 1 type 1, and bridge letters for both SOC 1 and 2 reports, where applicable*.
Blackbaud provides PA-DSS and PCI-DSS attestations of compliance to Blackbaud Internet Services and Blackbaud Payment Solutions*.
Blackbaud also leverages the Cloud Security Alliance’s CAIQ assessment questionnaires to provide transparency regarding the adherence of our products to the CSA Cloud Controls Matrix. All current Blackbaud CAIQs are available via the Cloud Security Alliance.*
Security
Infrastructure Security
Our security, privacy, and risk-management teams work every day to ensure the safety of your data by adhering to industry standard practices, conducting ongoing risk assessments, aggressively testing the security of our products, and continually assessing our infrastructure.
Your Blackbaud solution is secure, protected, and reliable through:
- Robust and continuous Cloud Account/Subscription Governance and control monitoring
- Clear security requirements and reporting on data protection, encryption, and monitoring
- Routine vulnerability assessments and DDoS automitigation response
- Active participation in CyberSecurity thought leadership:
- Blackbaud is a member of Cloud Security Alliance (CSA) and assesses our products and environments against the CSA CAIQ (consensus Assessment Initiative Questionnaire).
- Blackbaud Security is a member of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a thought leadership and information sharing community for collaboration on critical security threats facing the global financial services sector.
- Blackbaud partners with the Information Sharing and Analysis Center for Nongovernmental Organizations (NGO-ISAC) to participate in collaboration regarding US-Based nonprofit/nongovernmental organizations under attack from sophisticated threat actors.
- Partnership with Microsoft and Azure
- Blackbaud engages in an Azure-first model and partners consistently with Microsoft. This provides us access to industry threat intelligence and early previews regarding upcoming Azure feature capabilities and security releases.
- Partnerships with other cloud providers and independent third parties for reviews
Blackbaud also leverages tactical Cyber Security strategies for safeguarding our environments and data by utilizing the NSA’s Defense in Depth techniques and layered security, including:
- Data Protection
- Application Security
- Host Based Security
- Internal Network Security Measures
- Perimeter Security
- Physical Security
- Policies/ Procedures/ Awareness
- Blackbaud’s Cloud Security includes rigorous standards across physical, application, and personnel security
Blackbaud utilizes System Center (SCOM) for internal out of the box monitoring with customized management packs that monitor within the application layer from the inside out to include an early warning detection system that allow us the time to investigate and respond to an issue before it becomes an impactful event.
Physical Security
Blackbaud enforces strict physical datacenter security based on best practices and SSAE18 audit guidelines:
- All building entrances, the datacenter floor, and secure areas require card key access. The datacenter floor and secure areas also require two factor biometric authentication (hand/finger prints and iris scan).
- Active patrol guards are onsite to monitor the interior and exterior of our facilities 24 hours a day, 365 days a year. We also have security cameras covering all entrances, alternate workspaces, and the datacenter floor.
Application Security
Blackbaud ensures the security of our applications through:
- Constant education and partnership with Blackbaud development community with robust and varied training programs
- Routine vulnerability assessments
- Continually empowering our developers with security tools to leverage early in the security SDLC processes
Encryption
- Blackbaud uses various strong encryption mechanisms across our environments and products, including TLS 1.2, AES 256, RSA 1024 and other FIPS140-2 encryption algorithms.
Authentication
- Through Blackbaud ID, we support multi-factor authentication and modern identity providers (IdP) such as Microsoft Azure Active Directory, Okta, and SAML-based providers such as Google G-Suite so you can control your end-user login experience*.
Security Awareness
Blackbaud employees are all engaged in on-going Security Awareness and rigorous training campaigns to ensure they are empowered to protect both Blackbaud’s and our customers’ data. All employees are provided continual phishing simulation testing to increase their awareness of cyber security social engineering and phishing techniques.
The Blackbaud Security team additionally partakes in global communities and conference platforms—such as bbcon, WISCYS, and local security conferences—to share information and present on industry best practices to improve the community’s security awareness posture.
Testing
The Blackbaud Security team prioritizes routine testing to identify and remediate vulnerabilities and risks by leveraging:
- Dedicated Red Team
- Routine Penetration Testing
- Routine Code and Vulnerability Scanning
- Cloud Audits & Assessments
- Phishing Simulations
Privacy
Driving social good on a global scale—spanning the public, private, and social sectors—requires a detailed understanding of privacy standards. Blackbaud has dedicated legal counsel who continually evaluate upcoming and changing regulations as they relate to data privacy to ensure we are aligned to these regulations, as well as providing thought leadership for our customers on the operational impact of these regulations and compliance requirements. Visit our privacy resource site.
Further, we will continue to work on ways to improve the user experience in the products, specifically as regards the capture, recording, and use of your supporters’ consent. We ensure that (when applicable) our products and internal processes comply with and enable customers to comply with:
- General Data Protection Regulation (GDPR) regulations in the United Kingdom and the European Union that establish commercial standards for data protection and privacy for all individuals in those areas.
- US State data privacy laws—including the California Consumer Privacy Act as amended by the California Privacy Rights Act—which enhance privacy rights and consumer protection for residents of those states.
- We have made changes here at Blackbaud for our own compliance with these new state laws, particularly with respect to our Data Intelligence business. We have prepared new notices, implemented mechanisms for individuals to submit consumer rights requests, and readied our engineers to create robust subject access reports upon request. Blackbaud acts as a data controller when it provides Data Intelligence services, including Target Analytics®, and accordingly will comply with consumers’ access requests, deletion requests, and opt out requests. Individuals who opt out of the sale of their data will be excluded from the data sets we use for customer data enrichment services. For more information, refer to our website for Data Subject Rights Requests as well as our Privacy Policy.
- Global email laws, such as Canada’s Anti-Spam Legislation (CAN-SPAM) in the US, and the UK’s Privacy and Electronic Communications Regulations (PECR) govern the sending of electronic marketing messages.
- Blackbaud solutions contain functionality enabling customers to collect, record, and use explicit consent to receive marketing emails in accordance with email laws.
- Our email solutions allow customers to send email in line with legal requirements and best practices, such as unsubscribe functionality.
We understand regulatory requirements and constituent expectations around data privacy are a key priority for our customers as well. For more information about how Blackbaud can help your organization with data privacy compliance, visit our privacy resource site.
Reliability
Blackbaud designs mission-critical cloud solutions exclusively for social good organizations.
Our commitment to reliability is backed by our industry-leading service level agreement of 99.9% availability—or you will be eligible for credits to your subscription.
Our cloud solutions are modern and innovative and allow your teams to be productive on any device at any time by leveraging Blackbaud SKY UX for natively mobile experiences.
We amplify continuity of service through extensive disaster recovery policies, regular offsite backups (performed nightly, weekly, or monthly), and redundant architecture.
*compliance certifications and assessments may vary by product
Industry Standards
Data Trust
Blackbaud maintains protocols and standards to help protect Customer Data, meaning the data consisting of Customers’ confidential information, including constituent data, contained in Blackbaud solutions. Customer Data doesn’t include aggregated or anonymized data or data about a customer, like current or prospective customer contact information held in our internal customer management system. Blackbaud will only collect, process, and store Customer Data that is necessary to fulfill contractual obligations with customers. Blackbaud retains Customer Data throughout the full term of the contract for such solution.
Upon cancellation of a solution, Blackbaud maintains a standard process to remove Customer Data in accordance with industry standards. Typically, after a customer leaves Blackbaud entirely or cancels a particular solution, Customer Data with respect to that solution/s is decommissioned/removed from applicable infrastructure, and then associated backups of that Customer Data are retained (offsite) for 6-months before being automatically purged. In some instances, Customer Data will be maintained to comply with legal and regulatory obligations. Blackbaud may also keep Customer Data to assist with fraud monitoring, detection, and prevention activities and to comply with tax, accounting, and financial reporting obligations.
Additionally, Blackbaud is required to retain certain Customer Data through contractual commitments to financial partners, and where data retention is mandated by the payment method(s) utilized by the customer. In all cases where Customer Data is retained, it is done in accordance with any limitation periods and records retention obligations that are imposed by applicable law.
Questions? Contact us.
To obtain a summary of the most recent third-party audit reports for our solutions:
- If you’ve purchased a Blackbaud solution, open a support case.
- If you are a prospective customer, contact your sales representative.