Change uses Stripe, Inc. ("Stripe"), a fully compliant entity, as the third-party service provider for payment services (e.g., card acceptance, banking, merchant settlement, and related services). No credit card data touches Change's system. No Change system or personnel can access customer credit card data.
Change uses Finix Payments, Inc. ("Finix"), a fully compliant entity, as the third-party service provider for payment services (e.g., card acceptance, banking, merchant settlement, and related services). No credit card data toucs system. No Change system or personnel can access customer credit card data.
All customer data is encrypted at rest with AES-256. Change’s cloud-based databases are isolated from other applications. All Change databases require encrypted connections.
Relationships with nonprofit organizations are verified manually and leverage publicly available information confirmed with multiple sources.
Password resets and account recovery are manually performed and leverage registered account email addresses.
Change retains data for as long as there is an administrative need to keep it to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or for legislative requirements.
Any data subject to deletion by local laws can be deleted at any time by request of users by contacting hello@getchange.io.
Change protects dashboard pages with strict same-origin content security policies to mitigate clickjacking.
Change protects dashboard actions with cross-site request forgery tokens to mitigate cross-origin access.