Security and privacy of Customers' data is Volgistics' number one priority. Volgistics incorporates many of the same mission-critical security and privacy protections as those used by online banking services.
Volgistics uses a layered approach to security, and strives to follow industry standard best practices at each level. Security begins with the physical security of the Volgistics data center, continues to network security, and ends with the protection of the data itself.
The Volgistics system is operated exclusively by Volgistics from a secure data center. The data center is located in the central United States. The physical environment is designed to keep data and equipment secure 24 hours a day, including 24x7 secured access, security alarms, video surveillance, smoke and fire detection, and fire suppression system. Authorized Volgistics employees are the only people who have access to the Volgistics system.
- The Volgistics system is accessible only to Volgistics employees.
- All data center equipment is owned and operated by Volgistics.
- Third party vendors who require access to the system are escorted and supervised by a Volgistics engineer.
Volgistics strictly safeguards Customer data and transactions while they are in transit. Volgistics uses 256-bit secured-socket layer (SSL) data encryption--the same level of encryption used in most online banking. In legacy systems, 128-bit SSL encryption may be used.
With SSL, all of your volunteer information is encrypted--or scrambled--as it travels back and forth between your computer and the Volgistics data center. Even if someone were able to intercept the information as it traveled over the Internet, it would be meaningless to them in this encrypted form. This is a higher level of security than that used internally on most corporate networks.
Volgistics uses Extended Validation SSL Certificates, also known as EV Certificates, to provide strict validation requirements and strong visual signals to verify security. The certificates verify that all data claimed to have originated from the Volgistics web site did, in fact, originate from that site, and that it has not been tampered with along the way. A digital certificate is the industry standard, and can be neither forged nor decoded with current or foreseeable technology.
- All external Volgistics database transactions, including the transmission of volunteer data and reports, are conducted under 128 or 256 bit SSL. Consistent with common practices in the industry, email transmissions from Volgistics to other email service providers are not encrypted.
- Volgistics uses Cisco stateful-inspection hardware firewalls to prevent unauthorized access to the Volgistics network.
- Volgistics audits login events (including successes and failures) on servers and network devices that support auditing; and monitors these logs for unusual activity.
Designed expressly for secure Internet operations, the Volgistics database itself includes advanced security, data integrity, and encryption protections. Volgistics data never leaves the control of Volgistics. Backup data is encrypted for additional protection.
- Each account has an event log that shows which system operators accessed the system, when, and the IP address used.
- Customers can set and enforce strong password policies, and password expirations for their accounts.
- Volgistics sessions expire automatically after a period of inactivity.
- Volgistics stores backup media in the secure data center, and a secure off-site location. Backup media never leave the control of Volgistics (they are never shipped by third party carriers). All backup data are stored in an encrypted format for additional security.
Volgistics' security information is available in a printable form in the Volgistics Service Agreement PDF file.
Assess & Limit Your Risk
No matter what tools you use to track volunteer information, there's often a simple way to limit your risk when it comes to storing your volunteer's personal information.
In the United States, most state and federal laws governing the protection of privacy define protected personal information as first and last name, plus any one of these:
Social security number (SSN)
Driver's license number
Financial account or credit card number
While tracking a volunteer's first and last name is naturally important, it is often possible to operate a volunteer program successfully without asking volunteers to provide their social security number or driver's license number. If you can operate this way, and make it a policy to do so, you will have substantially reduced your vulnerability from the very start.
Some volunteer programs must collect and store social security and/or driver's license numbers. For example, organizations that perform background checks on prospective volunteers typically need one or both of these numbers. In these cases you should carefully examine how you collect and store this information.
If you choose to store social security and driver's license numbers in Volgistics, this information is protected by Volgistics as described in the Volgistics Security statement along with the other volunteer information you track.
If you prefer not to store social security numbers and driver's license numbers in Volgistics, you can still use Volgistics effectively for all volunteer recruiting, tracking, and coordination functions. You can use the Volgistics PIN as a common key to associate each volunteer's Volgistics record with their social security number and/or driver's license numbers stored locally on your own computer or network. If you choose this approach, be sure you protect the information you store locally.
It is also a good idea to require strong passwords for the system operators who access your account. Volgistics allows you to customize the password strength rules for your account. Options include case sensitivity, password length requirements from 6 to 30 characters, password expirations in 30 day increments from 30 to 300 days, and mandatory inclusion of numeric characters and symbols. Strong password requirements can help eliminate security vulnerability caused by the human tendency to use simple, easy-to-guess passwords.
Volgistics was designed to track volunteer records, not patient information. Therefore, the system does not include Protected Health Information and Volgistics should not be considered a Covered Entity for HIPAA purposes.