Momentum Security Practices
At Momentum, we take security very seriously. As a company that focuses on stewardship, we value trust and transparency above all, and we view stewarding your data one of our most core responsibilities.
Here is an overview of the security practices we've implemented to ensure the integrity, confidentiality, and availability of all data we handle.
We have comprehensive security policies in place that are communicated and made accessible to all our staff.
1. Secure Coding and Development Practices
We consider our security related coding practices to be best-in-class. All code is regularly reviewed for potential security vulnerabilities. We utilize static and dynamic analysis tools to identify potential security issues. Security is embedded at every stage of our software development lifecycle (SDL) to ensure that the final product is as secure as possible.
Our web portal uses the Django web framework, which includes strong protection against cross site request forgery, SQL injection, and many other forms of attack. Our database and web application are further protected with Row Level Security, an advanced database feature that ensures that data from your organization can never be accidentally exposed to other organizations we work with.
2. Data and Network Security
Access controls are strictly enforced to ensure that only authorized personnel have access to sensitive data. Our network is secured with regular network scans, penetration testing, firewalls, and intrusion detection systems (IDS). We also perform regular data backups and restore tests to ensure data integrity and availability.
Your data is encrypted at rest with industry standard AES-256 encryption, and access to our web portal is secured with TLS 1.2 encryption. Our donation platform uses Stripe, a PCI Level 1 certified payment processor.
3. Identity and Access Management
Access to systems and data is managed based on the principle of least privilege (PoLP), meaning each user is granted the least amount of privilege necessary to complete their tasks.
Certain Momentum employees need access to your data in order to provide our services - for example, to review donor activity and recommendations. Access is tightly restricted to a small set of authorized personnel, and we have automated logging and auditing systems in place to ensure data is not improperly accessed. In addition, we require all employees with access to sensitive systems to use strong random passwords stored in a secure vault.
4. Incident Response and Risk Management
We have a well-documented and regularly tested incident response plan ready for any potential security breaches. In addition, we follow a proactive approach to risk management, where risks are continuously identified, assessed, and mitigated before they become issues.
5. Patch and Vulnerability Management
We follow a strict schedule for updating and patching all software, operating systems, and third-party libraries to protect against known vulnerabilities. Our team also conducts regular vulnerability assessments to identify and prioritize any potential vulnerabilities.
6. Vendor Security Management
We extend our security standards to our partners. All third-party vendors we work with must meet our stringent security standards to ensure an end-to-end secure environment.
Momentum's database and web portal are hosted on leading cloud computing providers with best-in-class security, including Amazon Web Services and Google Cloud.
This document provides an overview of our security practices. If you need more detailed information, please don't hesitate to contact us.