Data Security | Dataro

How we keep your organization and your donors safe

For more detailed technical information, select a category.

Data storage & encryption

All client data is stored at rest in Amazon Web Services (AWS) S3 Buckets which are by default industry-standard AES-256 Encrypted and Private.

Modelling metadata and app-related outputs (outputs for display in the Dataro platform) are stored in an AWS Aurora Postgres database that exists in a private subnet in our own AWS VPC and is not directly accessible from the internet.

Data is processed in virtual machine images (Docker containers) on dynamically allocated compute instances (AWS Batch). As such there are no standing instances to access or compromise. This dramatically reduces our potential attack surface.

Dataro’s web application is architected using a ‘serverless’ framework where backend requests are processed using abstracted compute units (AWS Lambda) instead of standing instances.

AWS is a top-tier cloud vendor and in the cases above there are huge security benefits to using their managed services (Batch, S3, Lambda) instead of managing our own servers. Issues such as patching, disaster recovery, backups, configuration and so forth are handled by AWS as part of their managed service offering.

Confidentiality & access control

We have implemented stringent controls governing this data.

Awareness training is provided to all employees during the on-boarding process which covers the importance of and best practices for handling customer data. Access to the production buckets is provisioned using AWS Identity and Access Management (IAM) and is currently directly accessible to the production processing system and Dataro’s CTO (Chief Technical Officer) and senior engineering staff.

Access to Dataro environments within Dataro is limited only to the most senior employees who have been trained in our security protocols. Control measures include access restriction to privileged groups with additional authentication requiring 2FA and password strength requirements in line with best practice.

Dataro adopts a risk-based approach to processing, in particular, from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to information.

Data security in transit

Data is collected from Customer systems using the Customer’s CRM vendor’s API or it is sent to Dataro directly using best practice Secure File Transfer Protocol (SFTP).

Physical security measures

Physical security controls in our offices ensure robust physical security appropriate to the nature of our business. All Dataro resources are hosted in secure facilities (in Australian, the UK, or US, based on client preference) provided by AWS. AWS has best-in-market data centre controls: https://aws.amazon.com/compliance/data-center/controls/

System updates & security

We deploy updates to our system using a rigorous CI/CD (Continuous Integration and Continuous Delivery) process which includes automated testing for a number of security hazards, including static and dynamic analysis of the code and deployed systems.

Data processing

Contact persons and project managers are identified for all projects. All Dataro employees receive appropriate privacy and annual data security training and are required to comply with Dataro’s IT security policy.

Data modeling & PII

We seek to abide by privacy by design principles and as such, with respect to data about our Customers’ donors, we only capture information which the Customer has agreed to and directly relates to our ability to deliver our service and product. While Dataro stores four types of Personally Identifiable Information (PII): email address, phone, mailing address, and last name, we do not use any PII for modeling. Our proprietary data models are trained on non-personal data in our global data set (the Dataro data pool).

Data integrity & business continuity

Administration activities on servers are only carried out by trained personal who are the most senior at Dataro. 2FA is compulsory for all activities involving access to customer data stored by Dataro. We care about the resilience of our products and appreciate that disruptions can happen, so have developed our Business Continuity Plan appropriate to the size of Dataro and scope of products supplied. Key processes include: annual business continuity plan reviews, including key risks and contingencies, plus building services to utilise redundancy capabilities of our cloud services providers.

Data retention

At the conclusion of your subscription, we delete all the raw data we are holding for your organization, including all personal data.

Data security in Dataro

Like you, we take the security of your donor data very seriously. Dataro is committed to the highest standards of data security, privacy and ethics.

Protecting your data

How we keep your organization and your donors safe

Fundraise smarter, starting today