Fundmetric has some core principles around data protection and security.

Notice: Our data breach protocol requires us to notify clients within 24 hours of a data breach. We also will notify you about how your data is being used should this change. Fundmetric maintains detailed access logs and has systems in place for real-time notification, mitigation and containment procedures should a problem arise.

We ask for consent before changing our procedures with the exception of system updates, should Fundmetric change it’s data handling procedure, which only allows Fundmetric staff having signed confidentiality agreements and receiving annual privacy and security agreements.

We do not permit onward transfer without the consent of the client. This is done using end to end encryption. There are three exceptions:

- Third party credit card processes (if using credit card processing through Fundmetric)
- Mailgun for email services, a provider of transactional and marketing email serves
- Email Validation Services (if elected by the client)

Data Transfer uses TLS 1.2 and is secure and encrypted. Here is the details on our data vault Exavault.

We use 256 bit SSL certificates and limit the access points through which data can be accessed. We have several internal monitoring systems and access to Microsoft Security Architects for the engineering on a private server network.They review our infrastructure periodically.

Access to the system is tightly controlled. Anti-Phishing training is ongoing and Fundmetric is vigilant against both technical threats and social engineering. Our staff are trained annually on the procedures and security threats both physical, social and virtually.

All computers used for the purposes of our work are Fundmetric property and subject to Fundmetric data protection and breach protocol procedures.

Fundmetric also has special screening procedures for people who may pose a threat from either a terrorism or espionage standpoint.

Fundmetric requires written permission to give user accounts and will generally check with the point of contact. There are various role-based permissions that restrict access to certain functionality for security purposes.

Protocols are enforced using both automated best practices as well as a streamlined reporting structure. Protocols exist for the method of communication in the event of threat to eliminate the ability for forged communications to complicate matters. A data-breach protocol is in place that is reviewed, practiced and put into practice. While we do not release the protocol itself, it does include mitigation and notification provisions for stakeholders including clients.

Fundmetric holds a Comprehensive Technology and Cyber Security insurance policy.  This is in addition to our general liability insurance.

This includes:
(A) Professional Services, Technology Services and Technology
Products Liability
(B) Media and Advertising Liability
(C) PCI DSS Assessment  
(D) Network Security and Privacy Liability
(E) Network Extortion Threat  
(F) Breach Event Services and Expenses  Yes  No
(G) Corporate Brand Protection / Crisis Management Expenses
(H) Business Interruption
(I) Data Protection and System Restoration

Fundmetric enables permission levels within the app to be set for your teammates. Permissions can be set to include the ability to edit or view constituent.

Credentials are stored using secure hash algorithms.

Fundmetric has an uptime of 99.9% or higher.

All of our servers are within our own virtual private cloud (VPC) with network access control lists that prevent unauthorized requests.

Credentials are stored using secure hash algorithms.

All data sent to or from Fundmetric is encrypted in transit using 256 bit encryption.

Backups are weekly for all constituent data.

Fundmetric is served 100% over https. Access to constituent data is limited to authorized employees who require it for their job. Fundmetric runs a zero-trust corporate network. There are no corporate resources or additional privileges that come from being on Fundmetric’s network. We have Single Sign-on (SSO), 2-factor authentication (2FA) and strong password policies on tools used to build the Fundmetric platform to ensure access to cloud services are protected.

Fundmetric has a data breach protocol that is not publicly shared but that any customer can view upon request.

All Fundmetric employment contracts include a confidentiality agreement that must be signed and returned prior to commencing employment.

Annual Security and Awareness training is completed by all Fundmetric employees.

Fundmetric has developed, and frequently update, a comprehensive set of security policies. These policies cover a wide-range of topics and are shared with all employees.

All aspects of PCI compliance are handled through third party processors. Fundmetric does not store credit card information.