Latest Update
Five ways that Daisychain can boost volunteer engagement.

Privacy and Security

Our Commitments to Our Clients and Partners.
Security and privacy are top priorities for Daisychain. We are constantly striving to improve our practices and ensure that they are up to industry standards.
From the way we store member data to the tools we provide to customers, everything is designed with security and privacy in mind.

Principles

Our practices are designed around several key principles:

Designed for Security

We use industry best practices for encryption, physical security, multi-factor authentication, and segmentation of data. Security is a core part of our software design process, and we use it as a criteria during code review.

Automated

We automate everything. When security configuration is automated, we can guarantee its correctness and repeatability. When infrastructure is automated, fewer people need access to sensitive data.

Available

All infrastructure is built to be highly available and resilient. Our architecture is designed to eliminate single points of failure with ample excess capacity so the platform keeps running no matter what.

Transparent

We promptly notify customers of outages and security events through our status pages and proactively via email.

Details

Here are some more specific details about our security and privacy practices:

Physical Security

We store customer data using Amazon Web Services (AWS) in their US East Region (Northern Virginia). AWS uses physical facilities that limit and audit physical access, and provides fire suppression, climate control, and uninterruptible power supplies. AWS is SOC-2 Type 2 Certified, and provides detailed information about their commitment to Security and Trust on their website.

Backups

We take a full snapshot of customer data at least nightly, encrypt it, and store it securely for disaster recovery.

Encryption

We use TLS/SSL encryption to protect data in transit across the internet, ensuring that our users have a secure connection from their browsers to our service. Where possible, data is encrypted at rest and in transit, and backups are always encrypted before they are stored. Our underlying service providers use industry-standard AES-256 encryption for storage of data at rest.

Access & Authorization

Our staff uses multi-factor authentication, in addition to passwords, to access administrative interfaces of the platform. Multi-factor authentication is also available to customer staff, though it is dependent upon the organization to ensure its use. Access to systems is limited to staff who require access by the role of the staff person and their need to access specific data.

Automated Scanning

We use a variety of automated tools to quickly identify and correct security issues with our systems. We use continuously scanning automated tools for detecting known vulnerabilities in software dependencies and static code analysis to detect issues in our application as part of our continuous integration process. Antivirus, endpoint management, and network traffic analysis tools are used where appropriate.

Change Management

All product software and infrastructure systems are administered via processes that include an audit trail and peer review of changes that are being applied. The peer review process includes evaluation of the security, privacy, and reliability implications of the change being proposed. Wherever possible, manual or ad-hoc changes to systems are avoided.

We use automated change management tools to document the current state of our systems infrastructure and enforce our standards for infrastructure. Infrastructure and product updates are designed to be applied via zero downtime continuous deployment process.

Web Security

We use Cloudflare to protect the platform against many risks, including distributed denial of service attacks. We also use Cloudflare Zero Trust to secure access to the platform by our staff.

Security Vulnerability Disclosure

At Daisychain, we take the security of our systems seriously and value the security community. The responsible disclosure of security vulnerabilities helps us ensure the safety and privacy of our users. If you believe you've found a security vulnerability in our service, we encourage you to notify us by emailing hello@daisychain.app

Training

All team members are regularly briefed on principles and policies of data privacy and data security.

Onward Transfer

We work with other companies to deliver the platform to you. We ensure that all third-parties we work with adhere to adequate data protection policies that meet or exceed our own. We keep this list of sub-processors up to date so customers can understand how their data is processed.

Name Location Purpose Website
Amazon United States Application and Database Hosting https://aws.amazon.com/
Twilio United States SMS and Email delivery https://www.twilio.com/
Cloudflare United States CDN and DDOS Protection, Zero Trust Security, Object Storage, Edge Compute https://www.cloudflare.com/
Rollbar United States Error reporting and tracking https://www.rollbar.com/
Bandwidth United States SMS delivery https://www.bandwidth.com/