SECURITY OVERVIEW FOR GIFT4CHARITY.ORG WEB APPLICATION

snakesailboatSecurity

Feb 23, 2014 (3 years and 7 months ago)

189 views



SECURITY OVERVIEW FOR GIFT4CHARITY.ORG WEB APPLICATION


Encryption

The Gift 4 Charity security model is based on web standards for ecommerce and
online transaction applications.


All critical information paths are encrypted by
Godaddy

with a 256 bit browser to server encryption level.


Sensitive information
such as social security numbers or private employee identification numbers are
further encrypted in the database rendering the information useless to would be
hackers.



Physical S
ecurity

If a thief or hacker can gain physical access to a server there is no way to stop them from
gaining access to the information housed on the server.


Likewise natural disasters and power
failures can cause severe interruptions to service as well as

data corruption.


To that end The
Gift 4 Charity is hosted in a SAS 70 Type II certified world
-
class infrastructure engineered from
the ground up to support just about any kind of contingency.







Liebert UPS System

750 Kilowatt Diesel Generator

I
negen Fire Suppression








Backup Battery Supply


Network Operations Center (NOC)


Earthquake Isolation








Biometric Authentication


Heavily Monitored Facility


Security Man Traps


Process

In addition to facility security and encryption,

best practices regarding information flow and
process help to ensure data security.


Sensitive information is wiped from the system once
donations have been processed. Social security numbers are not stored on an ongoing basis.


Daily backups are housed o
n site within the secured facility.


Physical backups are kept off
-
site
in fireproof lock boxes within a secure facility (security guard, video surveillance, etc.)



Web Application Design

The web application framework is based on a custom modular framewo
rk.


The
custom nature of the framework allows for not only flexibility of design and
implementation but also obfuscates security holes that propagate quickly on
ubiquitous frameworks (this is one reason why Windows and Internet Explorer are
so readily and

easily exploited).



All critical data paths are secured and critical form data submissions are handled by encrypted
POST versus GET.


In some areas POST data is further encrypted or serialized/encrypted
before being passed page to page within a session.


Data interception would yield no usable
information.


Password and Login recovery are handled securely.


In many basic web applications a lost
password request yields a plaintext email with a user's login and password.


This is not only
inappropriate but
also one of the largest security holes on the web today.


The Gift 4 Charity
handles lost login/passwords in a secure manner never releasing this information in plaintext.


Gift4Charity.org Utilizes 256 Bit SSL






PRIVACY ACT NOTICE


Introduction


gift4charity.org takes your right to privacy seriously, and wants you to feel comfortable using this
web site. This privacy policy deals with personally
-
identifiable information (referred to as "data"
below) that may be collected by this site. This policy
does not apply to other entities that are not
owned or controlled by gift4charity.org, nor does it apply to persons that are not employees or
agents of gift4charity.org, or that are not under gift4charity.org's control. Please take time to
read this site's

Terms of use.

Collection of data


Registration for an account on this site requires only a valid e
-
mail address and a user name
that has not been chosen already. You are not required to provide any other information if you
do not want to. Please be aware that the user name you choose, the
e
-
mail address you provide
and any other information you enter may render you personally identifiable, and may possibly
be displayed on this web site intentionally (depending on choices you make during the
registration process, or depending on the way in w
hich the site is configured) or unintentionally
(subsequent to a successful act of intrusion by a third party). As on many web sites,
gift4charity.org may also automatically receive general information that is contained in server
log files, such as your IP

address, and cookie information. Information about how advertising
may be served on this site (if it is indeed gift4charity.org's policy to display advertising) is set
forth below.

Use of data


Data may be used to customize and improve your user experien
ce on this site. Efforts will be
made to prevent your data being made available to third parties unless (i) provided for otherwise
in this Privacy Policy; (ii) your consent is obtained, such as when you choose to opt
-
in or opt
-
out
for the sharing of data;
(iii) a service provided on our site requires interaction with a third party,
or is provided by a third party, such as an application service provider; (iv) pursuant to legal
action or law enforcement; (v) it is found that your use of this site violates gi
ft4charity.org's
policy, terms of service, or other usage guidelines, or if it is deemed reasonably necessary by
gift4charity.org to protect gift4charity.org's legal rights and/or property; or (vi) this site is
purchased by a third party, in which case tha
t third party will be able to use the data in the same
manner as set forth in this policy. In the event you choose to use links displayed on this web site
to visit other web sites, you are advised to read the privacy policies published on those sites.

Coo
kies


Like many web sites, this web site sets and uses cookies to enhance your user experience
--

to
remember your personal settings, for instance. Advertisements may display on this web site
and, if so, may set and access cookies on your computer; such co
okies are subject to the
privacy policy of the parties providing the advertisement. However, the parties providing the
advertising do not have access to this site's cookies. These parties usually use non
-
personally
-
identifiable or anonymous codes to obtain

information about your visits to this site.

Minors


gift4charity.org might not allow persons who are aged thirteen or younger to become members
of this site. For more information, please contact the site administrator.

Changes to this privacy policy


Ch
anges may be made to this policy from time to time. You will be notified of substantial
changes to this policy either by through the posting of a prominent announcement on the site,
and/or by a mail message sent to the e
-
mail address you have provided, whi
ch is stored within
your user settings.

NO GUARANTEES


While this privacy policy states standards for maintenance of data, and while efforts will be
made to meet the said standards, gift4charity.org is not in a position to guarantee compliance
with these
standards. There may be factors beyond gift4charity.org's control that may result in
disclosure of data. Consquently, gift4charity.org offers no warranties or representations as
regards maintenance or non
-
disclosure of data.

Contact information


If you ha
ve any questions about this policy or about this web site, please feel free to contact the
site administrator.

Terms and Conditions

TERMS & CONDITIONS

The Gift4Charity Web Site (the "Service") is an online information and communications service
provided by

Gift4Charity, subject to your compliance with the terms and conditions set forth
below including, all exhibits hereto.

Please read this Agreement carefully before accessing or using the Service. By accessing or
using the Service, you agree to be bound by

the terms and conditions set forth below. If you do
not wish to be bound by these terms and conditions, you may not access or use the Service. If
you utilize the Service in a manner inconsistent with these terms and conditions, Gift4Charity
may terminate
your access, block your future access and/or seek such additional relief as the
circumstances of your misuse indicate is proper. Gift4Charity may modify this Agreement at any
time, and such modifications shall be effective immediately upon posting of the m
odified
Agreement. You agree to review the Agreement periodically to be aware of such modifications
and your continued access or use of the Service shall be deemed your conclusive acceptance
of the modified Agreement.

1.

Operating Policies.

You agree to comp
ly with the Operating Policies set forth in Exhibit
A (as they may be amended by Gift4Charity from time to time), which are the rules that
govern your activity in connection with the Service. Gift4Charity has the right but not the
obligation to remove any
communications and materials that Gift4Charity believes in its
sole discretion violate the Operating Policies.

2.

Copyright, Licenses and Idea Submissions.

The entire contents of the Service are
copyrighted under the United States copyright laws. The owner o
f the copyright is
Gift4Charity. You may print and download portions of material from the different areas of
the Service solely for your own non
-
commercial use. You may make: (a) one machine
readable copy, (b) one backup copy, and (c) one print copy of any

portions of material
downloaded from the different areas of the Service solely for your non
-
commercial use.
Any other copying, redistribution, retransmission or publication of any downloaded
material, is strictly prohibited without the express written con
sent of Gift4Charity or any
third party information provider to the Service. You agree not to change or delete any
proprietary notices from materials downloaded from the Service. You agree to grant to
Gift4Charity a non
-
exclusive, royalty
-
free, worldwide,
perpetual license, with the right to
sublicense, to reproduce, distribute, transmit, create derivative works of, publicly display
and publicly perform any materials and other information (including, without limitation,
ideas contained therein for new or im
proved products and services) you submit to public
areas of the Service (such as bulletin boards, forums and newsgroups) by all means and
in any media now known or hereafter developed. You also grant to Gift4Charity the right
to use your name in connection

with the submitted materials and other information as
well as in connection with all advertising, marketing and promotional material related
thereto. You agree that you shall have no recourse against Gift4Charity for any alleged
or actual infringement or
misappropriation of any proprietary right in your
communications to us.

3.

Use of the Service.

You understand that, except for information, products or services
clearly identified as being supplied by Gift4Charity, Gift4Charity does not operate,
control or e
ndorse any information, products or services on the Internet in any way.
Except for Gift4Charity
-
identified information, products or services, all information,
products and services offered through the Service or on the Internet generally are
offered by th
ird parties that are not affiliated with Gift4Charity. You also understand that
Gift4Charity cannot and does not guarantee or warrant that files available for
downloading through the Service will be free of infection or viruses, worms, Trojan
horses or oth
er code that manifest contaminating or destructive properties. You are
responsible for implementing sufficient procedures and checkpoints to satisfy your
particular requirements for accuracy of data input and output, and for maintaining a
means external to

the Service for the reconstruction of any lost data.
You assume total
responsibility and risk for your use of the Service and the Internet. Gift4Charity
does not make any express or implied warranties, representations or
endorsements whatsoever (including

without limitation warranties of title or
noninfringement, or the implied warranties of merchantability or fitness for a
particular purpose) with regard to the Service, any merchandise, information or
service provided through the Service or on the Interne
t generally, and Gift4Charity
shall not be liable for any cost or damage arising either directly or indirectly from
any such transaction. It is solely your responsibility to evaluate the accuracy,
completeness and usefulness of all opinions, advice, servic
es, merchandise and
other information provided through the Service or on the Internet generally.
Gift4Charity does not warrant that the Service will be uninterrupted or error
-
free or
that defects in the Service will be corrected. The Service and any softwa
re made
available on the Service are provided on an "as is, as available" basis.

You understand further that the Internet contains unedited materials some of
which are sexually explicit or may be offensive to you. You access such materials
at your risk. G
ift4Charity has no control over and accepts no responsibility
whatsoever for such materials.

In no event will Gift4Charity be liable for (I) any incidental, consequential, or
indirect damages (including, but not limited to, damages for loss of profits,
business interruption, loss of programs or information, and the like) arising out of
the use of
or inability to use the Service, or any information, or transactions
provided on the Service or downloaded or hyperlinked from the Service, even if
Gift4Charity or its authorized representatives have been advised of the possibility
of such damages, or (II)

any claim attributable to errors, omissions, or other
inaccuracies in the Service and/or materials or information downloaded through,
or hyperlinked from, the Service. Because some states do not allow the exclusion
or limitation of liability for consequen
tial or incidental damages, the above
limitation may not apply to you. In such states, Gift4Charity's liability is limited to
the greatest extent permitted by law.


4.

Indemnification.

You agree to indemnify, defend and hold harmless Gift4Charity, its
officer
s, directors, employees, agents, licensors, suppliers and any third party
information providers to the Service from and against all losses, expenses, damages
and costs, including reasonable attorneys' fees, resulting from any violation of this
Agreement by

you.

5.

Third Party Rights.

The provisions of paragraphs 3 (Use of the Service), and 4
(Indemnification) are for the benefit of Gift4Charity and its officers, directors, employees,
agents, licensors, suppliers, and any third party information providers to t
he Service.
Each of these individuals or entities shall have the right to assert and enforce those
provisions directly against you on its own behalf.

6.

Term; Termination.

This Agreement may be terminated by either party without notice at
any time for any re
ason; provided that you may no longer use the Service after you have
terminated this Agreement. The provisions of paragraphs 2 (Copyright, Licenses and
Idea Submissions), 3 (Use of the Service), 4 (Indemnification), 5 (Third Party Rights) and
8 (Miscellane
ous) shall survive any termination of this Agreement.

7.

Maintenance.

Periodically the Service may require maintenance including, but not
limited to, revisions, updates, fixes, and database maintenance which will require the
Service to be temporarily suspend
ed. This suspension will, in no way, constitute a
breach of service provided by the Service. During maintenance periodic and random
deletions of data including, but not limited to, web logs, web statistics tracking metrics
and expired user data may occur.

8.

Miscellaneous.

This Agreement shall all be governed and construed in accordance with
the laws of the State of Minnesota applicable to agreements made and to be performed
in Minnesota. You agree that any legal action or proceeding between Gift4Charity and
you for any purpose concerning this Agreement or the parties' obligations hereunder
shall be brought exclusively in a federal or state court of competent jurisdiction sitting in
Minneapolis. Any cause of action or claim you may have with respect to the Ser
vice
must be commenced within one (1) year after the claim or cause of action arises or such
claim or cause of action is barred. Gift4Charity's failure to insist upon or enforce strict
performance of any provision of this Agreement shall not be construed a
s a waiver of
any provision or right. Neither the course of conduct between the parties nor trade
practice shall act to modify any provision of this Agreement. Gift4Charity may assign its
rights and duties under this Agreement to any party at any time with
out notice to you.

Exhibit A

Operating Policies


Your participation in on
-
line communications occurs in real time and is not edited, censored, or
otherwise controlled by Gift4Charity. Gift4Charity cannot and does not screen content provided
by users of t
he Service. Notwithstanding the foregoing, Gift4Charity reserves the right to monitor
content on the Service and to remove content which Gift4Charity, in its sole discretion,
determines to be harmful, offensive, or otherwise in violation of these Operating

Policies. In
order to maintain an informative and valuable service that meets the needs of the users of the
Service and avoids the harm that can result from disseminating statements that are false,
malicious, violate the rights of others, or otherwise har
mful, it is necessary to establish the
following rules to protect against abuse:

I.

Unless you are participating in an area of the Service that requires or encourages
anonymity, use your real name in online communications.

II.

You may not post or transmit any m
essage which is libelous, defamatory or which
discloses private or personal matters concerning any person. You may not post or
transmit any message, data, image or program which is indecent, obscene or
pornographic.

III.

You may not post or transmit any messag
e, data, image or program that would violate
the property rights of others, including unauthorized copyrighted text, images or
programs, trade secrets or other confidential proprietary information, and trademarks or
service marks used in an infringing fash
ion.

IV.

You may not interfere with other users use of the Service.

V.

You may not use any robot, spider, or other automatic device or process to monitor or
copy our web pages or any portion of the content contained herein without our express
written permission
.

VI.

You may not post or transmit any file which contains viruses, worms, "Trojan horses" or
any other contaminating or destructive features.

VII.

You may not post or transmit any message which is harmful, threatening, abusive or
hateful. It is not the Service's

intent to discourage you from taking controversial positions
or expressing vigorously what may be unpopular views; however, Gift4Charity reserves
the right to take such action as it deems appropriate in cases where the Service is used
to disseminate state
ments which are deeply and widely offensive and/or harmful.

VIII.

You may not post or transmit charity requests, petitions for signatures, chain letters or
letters relating to pyramid schemes. You may not post or transmit any advertising,
promotional materials
or any other solicitation of other users of the Service for goods or
services except in those areas (e.g., a classified bulletin board) that are designated for
such purpose.

IX.

You may not post or list articles which are off
-
topic according to the descriptio
n of the
group or list or send unsolicited mass emailings to 10 people or more if such e
-
mail
could reasonably be expected to provoke complaints from its recipients.

X.

You may not use the facilities and capabilities of the Service to conduct any activity or

solicit the performance of any illegal activity or other activity which infringes the rights of
others.

If you have any further questions, please email
info@gift4charity.org