Data Security and Compliance at Change

Security Program Overview

System Availability

Avoid slowdowns or disruptions. Enjoy virtually uninterrupted access to Change, with average annual uptimes exceeding 99.99%.

Encryption

All customer data is encrypted at rest with AES-256. Change’s cloud-based databases are isolated from other applications. All Change databases require encrypted connections, enhancing the security measures against potential data breaches

Identity Verification

Relationships with nonprofit organizations are verified manually and leverage publicly available information confirmed with multiple sources.

Password resets and account recovery are manually performed and leverage registered account email addresses.

Data Backup and Retention

Change retains data for as long as there is an administrative need to keep it to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or for legislative requirements.

Change backs up client data daily, and stores the data securely in AWS S3 as physical backups. The backups are protected for disaster recovery by storing both the base backup and write-ahead logs (WAL).

Compliant with SOC 2 Type 2 Security Standards

Change is SOC 2 Type 2 certified in security, availability, confidentiality, and privacy.

The American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. The SOC 2 reports cover controls around security, availability, and confidentiality of customer data.

To request a copy of Change’s SOC 2 report, contact us at hello@getchange.io.

Additional Resources

PCI & Banking Compliance

Change uses Stripe, Inc. ("Stripe"), a fully compliant entity, as the third-party service provider for payment services (e.g., card acceptance, banking, merchant settlement, and related services). No credit card data touches Change's system. No Change system or personnel can access customer credit card data.

Change uses Finix Payments, Inc. ("Finix"), a fully compliant entity, as the third-party service provider for payment services (e.g., card acceptance, banking, merchant settlement, and related services). No credit card data toucs system. No Change system or personnel can access customer credit card data.

Customer Data

All customer data is encrypted at rest with AES-256. Change’s cloud-based databases are isolated from other applications. All Change databases require encrypted connections.

Identity Verification

Data Retention

Change retains data for as long as there is an administrative need to keep it to carry out its business or support functions, or for as long as it is required to demonstrate compliance for audit purposes or for legislative requirements.

Any data subject to deletion by local laws can be deleted at any time by request of users by contacting hello@getchange.io.

Dashboard Security

Change protects dashboard pages with strict same-origin content security policies to mitigate clickjacking.

Change protects dashboard actions with cross-site request forgery tokens to mitigate cross-origin access.

Data Security & Compliance at Change

Security Program Overview

System Availability

Encryption

Identity Verification

Data Backup and Retention

Compliant with SOC 2 Type 2 Security Standards

Additional Resources

PCI & Banking Compliance

Customer Data

Identity Verification

Data Retention

Dashboard Security

See Change in Action

Data Security & Compliance at Change

Security Program Overview

System Availability

Encryption

Identity Verification

Data Backup and Retention

Compliant with SOC 2 Type 2 Security Standards

Additional Resources

PCI & Banking Compliance

Customer Data

Identity Verification

Data Retention

Dashboard Security

See Change in Action

Stay up to date with Change