A summary of Zeffy's data protection practices and how your data and information are protected.
Before we get started, please note that the following article is intended to give you a general overview of our data and security measures. For more information, please refer to our privacy policy
Payment security:
All of Zeffy's payment processing is managed by Stripe. Stripe is PCI Service Provider Level 1 certified which is the most stringent level of certification available in the payments industry. This ensures that all transactions are securely processed. Fore more information on Stripe's payment security, you can consult their documentation here.
Zeffy itself does not store or process any credit card information
Data storage:
Zeffy uses only industry best practices (physical, electronic and procedural) in keeping any data collected (including personal data) secure. Zeffy uses vendors such as Amazon Web Services (AWS) and Heroku, both recognized leaders in secure data, and other vendors who have very strict security protocols, for hosting of the Services and related data, and collection and storage of data, including personal data.
User information, including donor details such as names, emails, addresses or donation amounts, is stored securely on Amazon's RDS servers located in Canada (ca-central-1d). Organization images including signatures, receipts, logos and banners are stored on S3 in Canada (ca-central-1).
SSL Certificate:
All data, including personal information, is encrypted using SSL or TLS protocols, ensuring secure transmission over the Internet. Users can verify the validity of Zeffy's SSL on the Website, Platform and Services.
Data Law Compliance:
Zeffy’s practices are compliant with all of the following laws, and any other Data Protection laws that apply to us.
- The “GDPR”, the European Data Protection Law which stands for “General Data Protection Regulation”, with the official name Regulation (EU) 2016/679 of the European Parliament and of the Council;
- The “UK GDPR” which applies to our activities in the United Kingdom; please note that when this Policy refers only to the “GDPR”, this includes the UK GDPR as applicable;
- “PIPEDA” (Personal Information Protection and Electronic Documents Act), which is the Canadian Data Protection Law that applies to our activities in Canada;
- Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (the “Quebec Privacy Act”) as amended by Law 25, that applies to our activities in Quebec;
- The California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act which applies to our activities in the United States in certain circumstances; and
- Other state privacy laws in the United States, specifically those which are currently in force in Colorado, Connecticut, and Virginia.
Data Breach Procedures:
In the event of a suspected data breach, Zeffy has established procedures to promptly address and notify affected parties as required by applicable data protection laws. We prioritize transparency and timely communication to mitigate any potential risks to user data.
Account Change Notifications:
To enhance account security, Zeffy sends notifications to account owners for any changes made to their accounts. This includes the following changes:
- When a new device is used to login
- When a change is made to the bank account connected to Zeffy
- When 2FA is disabled
- When the ownership of an account is transferred
- When a user is added or removed from an account.
Two-Factor Authentication (2FA):
We offer 2FA for additional login security. Users are prompted to authenticate via 2FA when logging in from a new location, adding an extra layer of protection to their accounts. Enabling 2FA is strongly recommended to safeguard against unauthorized access. Here's how to activate it: Enabling 2FA on your Zeffy account