Accessing and exchanging data is an inevitable part of our everyday lives. With an unprecedented level of online connection and the rapid advancement of generative AI, these days hackers can bypass security with assistance from an AI chatbot. In this fast-changing landscape, Candid is committed to safeguarding the data of individuals and organizations that rely on our services and use our systems—and trust us with their information.
Cyber attacks are an ever-present threat, and even a single breach can have lasting consequences. As vice president of technology at Candid, I lead our efforts to ensure data security. Here’s a brief overview of how we achieve this.
Understanding and prioritizing the data
As a first step to ensuring data security, Candid maintains an inventory of all our data, including the type of data, where it’s located, and how it’s stored. This includes data stored in our own systems as well as on third-party systems. We then classify the data to determine where to focus our time and resources for the highest data security needs. To assess the level of protection each type of data requires, we use a framework focused on confidentiality, integrity, and availability, known as the CIA triad:
Confidentiality: How confidential is the data? For example, personal identifiable information such as an individual’s address is scored high. Much of our subscriber and user data is considered confidential and, as such, requires a higher degree of protection.
Integrity: How important is the accuracy and completeness of the data? How important is it to prevent malicious or accidental modification? For example, we need to protect and validate updates of donation information for nonprofits.
Availability: How important is it to always have the data available and accessible? For example, nonprofits rely on Candid’s data integration with partner platforms so they appear in those platforms accordingly.
Candid uses all three considerations to guide system design and access control.
Implementing controls to safeguard data
To ensure data is secure, confidential, and handled responsibly, we’ve implemented a comprehensive set of controls, including:
Access control: We follow strict protocols to ensure that only authorized personnel can access sensitive data, including any data about our subscribers or users. Based on the principles of least privilege and Role-Based Access Control, staff can only access the information they need to perform their specific roles. This structured approach makes it easier to manage access, reduces human error, and strengthens overall data protection.
Secure connections and strong authentication: To protect data in transit, Candid requires employees to connect to internal systems through a VPN. This adds a layer of security by encrypting internet connections and masking IP addresses. We also use multi-factor authentication, adding an extra barrier beyond username and password.
Employee training: Security is about more than just technology—it’s about people. All Candid employees—not just developers—receive monthly and annual mandatory training on the latest data security best practices.
Data encryption: For any storage system containing sensitive or confidential data, Candid uses “encryption at rest.” This means that even if data were to be accessed by an unauthorized party, it would be unreadable without the appropriate decryption keys. This layer of protection helps minimize damage in the unlikely event of a breach.
Backups and redundancy: We perform regular backups of our systems, with frequency and retention based on how critical each system is to our operations. Backups are stored in multiple locations—including both cloud-based environments and secure on-premises servers—so we can recover data quickly and reliably in case of a disruption and users can continue to access Candid’s systems.
Vetting of vendor and third-party systems: Before partnering with any third-party service provider or vendor, Candid conducts a thorough review of their data security practices, continuously monitoring and assessing them for alignment with our standards and commitments to data protection.
Ensuring consistent execution and follow-through
Yet, it’s not enough to classify data and implement controls. To ensure consistent execution and maintaining the right practices, Candid made the decision to adopt SOC 2 compliance—a security framework that requires organizations to demonstrate they have adequate controls in place to protect subscriber and user data. To be compliant, Candid performs an annual audit that requires a third-party auditor to review our controls and policies as well as evidence demonstrating we’re following them, including in our use of vendors and third-party systems.
With the rapid evolution and expansion of generative AI, data security will only become more important in the days and years ahead. At Candid, we know trust is earned, and data protection plays a major role in that trust. Every control we put in place is designed to safeguard the information you share with us and ensure it’s used responsibly and securely. As technology and cyber threats continue to evolve, so will our practices—because protecting your data requires an ongoing commitment.
The post How we ensure data security at Candid appeared first on Candid insights.
