The Subsplash Platform is built with the highest level of security to keep you and your community safe.
Information Security Program
We have a robust Information Security Program in place that is communicated throughout the company.
Third-Party Audits & Penetration Testing
Subsplash undergoes independent third-party assessments to test our security and compliance controls. Additionally, we perform an independent third-party penetration at least annually to ensure that the security of our services is uncompromised.
Roles & Responsibilities
The roles and responsibilities related to our Information Security Program and the protection of customer and user data are well-defined and documented. Our entire team is required to review and accept all of the current security policies.
Security Awareness Training
Our team also completes security awareness training that covers industry-standard practices and information security topics such as phishing and password management. This training occurs during the onboarding process for new employees and annually thereafter.
All employees are required to agree and adhere to an industry-standard confidentiality agreement prior to their first day of work.
Background checks are performed on all new employees in accordance with local laws.
Security Bug Bounty
We run an ongoing bounty program through HackerOne to provide penetration testing across all of our products on the Subsplash Platform. These security researchers are some of the best in the world at finding vulnerabilities and responsibly disclosing them. Our bounty program is open to anyone who finds a security vulnerability. (To report a vulnerability, please request an invite to our program by contacting us at firstname.lastname@example.org.)
The Payment Card Industry Data Security Standards are a set of standards set forth by the four major card associations to protect cardholder data. All merchants and processors need to have physical, electronic, and procedural controls in place to ensure that cardholder data is stored and handled securely at all times. Subsplash is PCI Level 1 Compliant and has the highest level of data security to ensure that your church’s and donor’s data is protected.
Our primary payment processor is Stripe. They are one of the largest, most secure payment processors in the world. Stripe is also a certified PCI Service Provider Level 1 payment processor.
Cloud Infrastructure Security
While we primarily use Amazon Web Services (AWS) as our hosting provider, we also run workloads on other cloud providers all of which have robust security policies in place. For more information on AWS’s security processes, please visit AWS Security.
Encryption at Rest & in Transit
Subsplash keeps your data encrypted and secure. All databases are encrypted at rest, and Subsplash applications encrypt in transit with TLS/SSL only.
We perform vulnerability scanning and actively monitor for threats.
Business Continuity & Disaster Recovery
We use our data hosting provider’s backup services to reduce any risk of data loss in the event of a hardware failure. We utilize monitoring services to alert the team in the event of any failures affecting users.
We have processes in place for handling information security events, including escalation procedures, rapid mitigation, and communication.
Permissions & Authentication
Access to cloud infrastructure and other sensitive tools is limited to authorized employees who require it for their role. Where available, we implement Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies to ensure that access to cloud services is protected.
Least Privilege Access Control
We follow the principle of least privilege with respect to identity and access management.
Quarterly Access Reviews
Quarterly access reviews are performed on all employees with access to sensitive systems.
Our entire team is required to adhere to a minimum set of password requirements and complexity for access.
Local Equipment Security
All company-issued laptops are encrypted and utilize a password manager for team members to manage passwords and maintain password complexity.
Annual Risk Assessments
At least annually, we undergo risk assessments to identify any potential threats, including considerations for fraud.
Vendor Risk Management
Vendor risk is determined and the appropriate vendor reviews are performed prior to authorizing a new vendor.