Security Details

Our clients have entrusted GiveWheel with their data, and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

Security Details

Application and User Security

  • Anytime you visit the GiveWheel platform, the padlock in the website address bar is there to confirm that you have a secure encrypted connection with the website and that GiveWheel holds a valid TLS/SSL certificate. This is very important when displaying pages that hold personal information.
  • GiveWheel does not expose any security keys within code.
  • User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. GiveWheel issues a session cookie only to record encrypted authentication and state information for the duration of a specific session. The session cookie does not include the password of the user.
  • User Passwords: User application passwords have minimum complexity requirements and are encrypted before storing in our database.
  • Privacy: This Security Statement should be read in conjunction with our privacy policy, which explains how we process personal information, who we share it with and how long we retain it.
  • Regular scanning is performed against the OWASP Top 10 Vulnerabilities.

Data Storage

All payment data is handled through Stripe. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. Find further details, here.

Other personal data is hosted on Heroku platform as a service. Heroku is owned by Salesforce – an auditable SOC report can be provided and the security policy is available here: https://www.heroku.com/policy/security.

Information about data residency can be viewed here (all dynos and databases were created in Europe): https://devcenter.heroku.com/articles/regions#data-residency.

Heroku compliance certification: https://www.heroku.com/compliance.

Organisational & Administrative Security

  • Service Providers: We screen our service providers to ensure that they adhere to appropriate confidentiality obligations if they deal with any user data.
  • Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.
  • Audit Logging: We maintain and monitor audit logs on our services and systems.
  • Regular automated database backups are configured.