Transparency is also critical, so we are sharing our safeguards with you. Giva follows best practises for privacy and security that are consistent with worldwide regulatory requirements.
IT and cloud security compliance certifications and memberships
Giva knows that security compliance is very important to our customers, so the following are our certificates of compliance:
HIPAA & HITECH compliant
Giva is HIPAA and HITECH compliant and used by hospitals, healthcare organisations, banks, law firms and other organisations all over the world that demand high security and compliance.
In today's environment, there are many security risks such as cyberattacks, breaches, malware, etc. For our customers not in regulated industries, they also receive our HIPAA and HITECH compliance at no additional cost.
The General Data Protection Regulation (GDPR) was passed in 2018 by the European Union (EU). It is specifically focused on the transfer of data outside of the EU. Among the many requirements is that transfers can only be with countries having strong data protection laws. The EU does not consider the US as meeting this requirement. There is ongoing dialogue between the EU and the US, and the regulation has been evolving. Currently, Privacy Shield permits EU companies working with US companies to meet the requirements of the General Data Protection Regulation.
Privacy Shield Framework compliant
Giva complies with the EU-U.S. Privacy Shield Framework that was created by the U.S. Department of Commerce and the European Union regarding the use, collection, and retention of personal information.
The objective of Privacy Shield is to support and enhance digital commerce. It's a framework to comply with data protection requirements when moving personal data from the European Union and Switzerland to the US. Giva's Privacy Shield certification
indicates that Giva meets the data privacy and security principles of the U.S. Department of Commerce and European Commission.
Giva's customers in highly-regulated industries can be assured we comply with these stringent privacy and security safeguards.
SSAE 18 SOC 2 Type 2 compliance
Giva's data centre partner, DataBank
, undergoes an SSAE 18 SOC 2 Type 2 annual audit
with an independent third party, and they continue to monitor our internal measures and controls against SOC 2 standards. As a result, Giva has the appropriate controls in place to minimise risks related to security, privacy, processing, availability, and confidentiality.
Preventing cyber security breaches and safeguarding data is critically important to Giva customers, and especially those with significant regulatory requirements and financial penalties.
DataBank performs a rigorous SSAE-18 audit annually in each of their data centres. It includes the data centre's system controls, design, and operating effectiveness over a one-year period.
SOX requires CEOs and CFOs to certify and provide quarterly and annual reports to the Securities and Exchange Commission. Management must accept responsibility for the effectiveness of its internal controls, evaluate the effectiveness using suitable control criteria and support this evaluation with sufficient evidence. In addition, auditors are required to verity and attest to these controls.
Since the accuracy and timeliness of financial reporting depends on a well-planned and well-controlled IT environment, IT organisations must not only provide various forms of control documentation (in the form of manuals, flowcharts, memoranda, etc.), but also documentation about the effectiveness of those controls.
Payment Card Industry Data Security Standards, or PCI-DSS, is an industry security standard for credit card transactions. The objective is to minimise risk of fraud or compromise of sensitive information. PCI Compliance is an adherence to these rigorous standards in the way your business conducts and handles the information. DataBank's facilities and critical infrastructure receive an annual "Report on Compliance" ensuring that they meet controls for a PCI-DSS-compliant facility.
Cloud security standards at Giva
Physical and cloud security
Giva uses DataBank to host our applications, and all customer data is maintained by them. DataBank is a global organisation recognised as a top specialist in HIPAA and HITECH compliance and other high security hosting such as FedRAMP and StateRAMP.
Many US federal government agencies use their infrastructure. All physical access is highly controlled and monitored. There are guards on each site, and there are state-of-the-art video surveillance systems, biometric locks and other high security measures to assure physical security.
Giva uses a secure database for customer data with very limited access, and it can only be accessed via a secure VPN
with a secure remote connection.
Giva utilises the latest version of the TLS protocol to ensure the most secure communication between our servers. Any communication between our applications or APIs is also transmitted using strong encryption.
Giva uses specialised hardware-based firewalls to block unauthorised access.
Business continuity and disaster recovery
Giva provides a hardened and highly redundant environment that is fault tolerant and resilient to withstand access by any unauthorised actor. DataBank uses a third party to provide penetration testing on a recurring basis to make sure that their high security standards are always maintained.
Giva's network security standards
Dedicated security team
Giva and DataBank's security teams are constantly monitoring our server infrastructure 24/7 to make sure that all is safe and secure. Anything that appears unusual is quickly investigated, and we use automated alerts to be proactive.
DataBank provides network protection through their security services. They engage independent third parties for penetration testing on an ongoing basis to get an unbiased review of their network security. We use Cloudflare for additional security to monitor and block malicious traffic and network attacks.
Network security architecture
Giva's network security architecture has security zones for each of the sensitive systems like database, web and storage servers. We calibrate sensitivity, function, and risk to determine what other security zones are necessary for other key subsystems. We apply monitoring and access controls that apply to all the security zones as well as DMZs between different security zones.
Network vulnerability scanning
DataBank is continuously performing network vulnerability scanning to quickly identify any potentially vulnerable systems.
Third-party penetration tests
Multiple time each year DataBank uses third-party, independent security experts to perform comprehensive penetration testing.
Security incident event management
Our security systems generate logs from all important parts of the network, and they are integrated with alert triggers to notify the security teams for investigation and response.
Intrusion detection and prevention
All key points of our network within DataBank are monitored to detect abnormal traffic patterns and behavior. After key thresholds are crossed, alerts are generated and sent to the security teams. We use regularly-updated signatures based on new threats that we get access to by leveraging DataBank's relationship with the US Government.
Threat intelligence program
Giva and DataBank participate in several threat intelligence sharing programs to enable monitoring of threats posted and take action when necessary.
DataBank has a proprietary architecture for DDoS mitigation. They have a deep partnership with Cloudflare that provides network edge defense.
Giva's production network is highly restricted and utilises least privilege and is monitored on an ongoing basis. Any Giva employees that can access the Giva production network must use two factor authentication.
Security incident response
Any system alerts are escalated to our 24/7 Operations, Network Engineering, and Security teams. These employees are trained on security incident response processes and escalation paths.
Application security at Giva
Secure code training
Framework security controls
Giva uses secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks: e.g. exposure to SQL Injection, Cross Site Scripting, and Cross Site Request Forgery.
We have a strong focus on Quality Assurance (QA) since Giva uses Agile Software Development
, which is a process that relies on iterations that build upon each other to deliver great products that customers desire in a timely manner. After a planning session based upon customer feedback, our software team writes code for two weeks and then performs QA for one week. During the QA cycle, our engineers are also looking for security vulnerabilities. If the code passes QA, then we put it into a release. We often do not know the exact release date until late in the QA cycle.
Giva has independent development, testing and staging environments that are completely separated from the production environment.
Dynamic vulnerability scanning
Giva uses security tools to continuously scan our code to prevent web application security risks including the OWASP Top 10 security risks.
Third-party penetration testing
Giva and DataBank use scanning and testing program, and third-party security firms to perform penetration testing on our infrastructure to ensure security and privacy.
Giva follows global security standards
Giva is HIPAA/HITRUST
compliant, and Giva serves some of the largest hospitals and healthcare organisations, and we meet our compliance obligations by offering a highly-secure environment and sign a Business Associates Agreement with our customers.
Giva is GDPR compliant to assure our EU customers that we protect their data and are in full compliance with their local laws.
Giva is PIPEDA compliant
to assure our Canadian customers that we protect their data and are in full compliance with their county's laws.
The Canadian Government's guide for PIPEDA compliance mandates the following security safeguards to provide protection:
- Physical measures
- Up-to-date technological tools
- Organisational controls
The following PIPEDA principles contribute to building trust in the digital economy:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
Giva is CCPA compliant to assure our California customers that we protect their data and are in full compliance with their state's laws. The California Consumer Privacy Act (CCPA) allows California consumers to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with.
Giva does not share any data with third parties. The CCPA law went into effect on January 1, 2020, and enforcement on July 1, 2020.
Giva's internal security policy
The Giva Internal Security Policy is a collection of policies and guidelines for employees of Giva. The company has made a substantial investment in human and financial resources to create these systems. Additionally, Giva is entrusted with the private and confidential information and data of its customers, and as such must protect its own systems in a manner accordingly. If you would like to learn more about our internal security policy, please let us know, and we'll be happy to share the details with you.