Giva's Certificates of Compliance & Security
At Giva, we recognize that your data contains sensitive and confidential information, so we are committed to keep your information private and secure.
Transparency is also critical, so we are sharing our safeguards with you. Giva follows best practices for privacy and security that are consistent with worldwide regulatory requirements.
IT and cloud security compliance certifications and memberships
Giva knows that security compliance is very important to our customers, so the following are our certificates of compliance:
HIPAA & HITECH compliant
Giva is HIPAA and HITECH compliant and used by hospitals, healthcare organizations, banks, law firms and other organizations all over the world that demand high security and compliance. In today's environment, there are many security risks such as cyberattacks, breaches, malware, etc. For our customers not in regulated industries, they also receive our HIPAA and HITECH compliance at no additional cost.
GDPR compliant
The General Data Protection Regulation (GDPR) was passed in 2018 by the European Union (EU). It is specifically focused on the transfer of data outside of the EU. Among the many requirements is that transfers can only be with countries having strong data protection laws. The EU does not consider the US as meeting this requirement.
There is ongoing dialogue between the EU and the US, and the regulation has been evolving. Currently, Data Privacy Framework permits EU companies working with US companies to meet the requirements of the General Data Protection Regulation.
Data Privacy Framework compliant
Giva complies with the EU-U.S. Data Privacy Framework that was created by the U.S. Department of Commerce and the European Union regarding the use, collection, and retention of personal information.
The objective of the Data Privacy Framework is to support and enhance digital commerce. It's a framework to comply with data protection requirements when moving personal data from the European Union, UK and Switzerland to the US. Giva's Data Privacy Framework certification indicates that Giva meets the data privacy and security principles of the U.S. Department of Commerce and European Commission.
Giva's customers in highly-regulated industries can be assured we comply with these stringent privacy and security safeguards.
SSAE 18 SOC 2 Type 2 compliance
Giva's data center partner, DataBank, undergoes an SSAE 18 SOC 2 Type 2 annual audit with an independent third party, and they continue to monitor our internal measures and controls against SOC 2 standards. As a result, Giva has the appropriate controls in place to minimize risks related to security, privacy, processing, availability, and confidentiality.
Preventing cyber security breaches and safeguarding data is critically important to Giva customers, and especially those with significant regulatory requirements and financial penalties.
DataBank performs a rigorous SSAE-18 audit annually in each of their data centers. It includes the data center's system controls, design, and operating effectiveness over a one-year period.
SOX compliance
SOX requires CEOs and CFOs to certify and provide quarterly and annual reports to the Securities and Exchange Commission. Management must accept responsibility for the effectiveness of its internal controls, evaluate the effectiveness using suitable control criteria and support this evaluation with sufficient evidence. In addition, auditors are required to verity and attest to these controls.
Since the accuracy and timeliness of financial reporting depends on a well-planned and well-controlled IT environment, IT organizations must not only provide various forms of control documentation (in the form of manuals, flowcharts, memoranda, etc.), but also documentation about the effectiveness of those controls.
PCI-DSS
Payment Card Industry Data Security Standards, or PCI-DSS, is an industry security standard for credit card transactions. The objective is to minimize risk of fraud or compromise of sensitive information. PCI Compliance is an adherence to these rigorous standards in the way your business conducts and handles the information. DataBank's facilities and critical infrastructure receive an annual "Report on Compliance" ensuring that they meet controls for a PCI-DSS-compliant facility.
Cloud security standards at Giva
Physical and cloud security
Giva uses DataBank to host our applications, and all customer data is maintained by them. DataBank is a global organization recognized as a top specialist in HIPAA and HITECH compliance and other high security hosting such as FedRAMP and StateRAMP.
Many US federal government agencies use their infrastructure. All physical access is highly controlled and monitored. There are guards on each site, and there are state-of-the-art video surveillance systems, biometric locks and other high security measures to assure physical security.
Database security
Giva uses a secure database for customer data with very limited access, and it can only be accessed via a secure VPN with a secure remote connection.
Communication security
Giva utilizes the latest version of the TLS protocol to ensure the most secure communication between our servers. Any communication between our applications or APIs is also transmitted using strong encryption.
Perimeter security
Giva uses specialized hardware-based firewalls to block unauthorized access.
Data back-ups
Giva uses DataBank's encrypted daily cloud back-ups, and any backups stored offsite are also encrypted.
Business continuity and disaster recovery
Giva provides a hardened and highly redundant environment that is fault tolerant and resilient to withstand access by any unauthorized actor. DataBank uses a third party to provide penetration testing on a recurring basis to make sure that their high security standards are always maintained.
Giva's network security standards
Dedicated security team
Giva and DataBank's security teams are constantly monitoring our server infrastructure 24/7 to make sure that all is safe and secure. Anything that appears unusual is quickly investigated, and we use automated alerts to be proactive.
Network protection
DataBank provides network protection through their security services. They engage independent third parties for penetration testing on an ongoing basis to get an unbiased review of their network security. We use Cloudflare for additional security to monitor and block malicious traffic and network attacks.
Network security architecture
Giva's network security architecture has security zones for each of the sensitive systems like database, web and storage servers. We calibrate sensitivity, function, and risk to determine what other security zones are necessary for other key subsystems. We apply monitoring and access controls that apply to all the security zones as well as DMZs between different security zones.
Network vulnerability scanning
DataBank is continuously performing network vulnerability scanning to quickly identify any potentially vulnerable systems.
Third-party penetration tests
Multiple time each year DataBank uses third-party, independent security experts to perform comprehensive penetration testing.
Security incident event management
Our security systems generate logs from all important parts of the network, and they are integrated with alert triggers to notify the security teams for investigation and response.
Intrusion detection and prevention
All key points of our network within DataBank are monitored to detect abnormal traffic patterns and behavior. After key thresholds are crossed, alerts are generated and sent to the security teams. We use regularly-updated signatures based on new threats that we get access to by leveraging DataBank's relationship with the US Government.
Threat intelligence program
Giva and DataBank participate in several threat intelligence sharing programs to enable monitoring of threats posted and take action when necessary.
DDoS mitigation
DataBank has a proprietary architecture for DDoS mitigation. They have a deep partnership with Cloudflare that provides network edge defense.
Logical access
Giva's production network is highly restricted and utilizes least privilege and is monitored on an ongoing basis. Any Giva employees that can access the Giva production network must use two factor authentication.
Security incident response
Any system alerts are escalated to our 24/7 Operations, Network Engineering, and Security teams. These employees are trained on security incident response processes and escalation paths.
Application security at Giva
Secure code training
Giva provides secure code training for our engineers based upon the OWASP top-security risks.
Framework security controls
Giva uses secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks: e.g. exposure to SQL Injection, Cross Site Scripting, and Cross Site Request Forgery.
Quality assurance
We have a strong focus on Quality Assurance (QA) since Giva uses Agile Software Development, which is a process that relies on iterations that build upon each other to deliver great products that customers desire in a timely manner. After a planning session based upon customer feedback, our software team writes code for two weeks and then performs QA for one week. During the QA cycle, our engineers are also looking for security vulnerabilities. If the code passes QA, then we put it into a release. We often do not know the exact release date until late in the QA cycle.
Separate environments
Giva has independent development, testing and staging environments that are completely separated from the production environment.
Dynamic vulnerability scanning
Giva uses security tools to continuously scan our code to prevent web application security risks including the OWASP Top 10 security risks.
Third-party penetration testing
Giva and DataBank use scanning and testing program, and third-party security firms to perform penetration testing on our infrastructure to ensure security and privacy.
Giva follows global security standards
HIPAA/HITRUST
Giva is HIPAA/HITRUST compliant, and Giva serves some of the largest hospitals and healthcare organizations, and we meet our compliance obligations by offering a highly-secure environment and sign a Business Associates Agreement with our customers.
GDPR
Giva is GDPR compliant to assure our EU customers that we protect their data and are in full compliance with their local laws.
PIPEDA
Giva is PIPEDA compliant to assure our Canadian customers that we protect their data and are in full compliance with their county's laws.
The Canadian Government's guide for PIPEDA compliance mandates the following security safeguards to provide protection:
- Physical measures
- Up-to-date technological tools
- Organizational controls
The following PIPEDA principles contribute to building trust in the digital economy:
- Accountability
- Identifying purposes
- Consent
- Limiting collection
- Limiting use, disclosure and retention
- Accuracy
- Safeguards
- Openness
- Individual access
- Challenging compliance
CCPA
Giva is CCPA compliant to assure our California customers that we protect their data and are in full compliance with their state's laws. The California Consumer Privacy Act (CCPA) allows California consumers to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with.
Giva does not share any data with third parties. The CCPA law went into effect on January 1, 2020, and enforcement on July 1, 2020.
Giva's internal security policy
The Giva Internal Security Policy is a collection of policies and guidelines for employees of Giva. The company has made a substantial investment in human and financial resources to create these systems. Additionally, Giva is entrusted with the private and confidential information and data of its customers, and as such must protect its own systems in a manner accordingly. If you would like to learn more about our internal security policy, please let us know, and we'll be happy to share the details with you.
