If you don't remember your password you may request an automatic resending of the password from the Login page by clicking on the "Forgot Password?" link. The password will be sent to the email address associated with the user account.
If you don't remember your user name please contact us for further assistance.
Our user agreement and privacy policies are posted on the website. The links to the policies may be found in the footer of any website page.
Secure password protected access is supported for every user account in the system. All passwords are stored in our database as hashes. At no time are any Common Grant Application personnel or others able to view any password. The user specifies their own user name and password when they register an account. The user may change their user name or password at their discretion.
Applicants cannot access other applicant or grantmaker accounts and grantmakers cannot access other grantmaker or applicant accounts. Users within the same account (e.g. owner, administrator, reviewer, etc.) can access and change information within their own organization's account based on their particular access permissions.
Applications between an applicant and a grantmaker can only be seen by that applicant and grantmaker pair, that is, no other applicants or grantmakers can see the application. There is one exception, grantmakers can configure a privacy option to share or not share on the statistics page a short summary version of each application that has been submitted to the grantmaker. The short summary includes the applicant name, city, state, country, grant cycle, type, cause and whether the application was approved, not approved or pending.
Applicants and grantmakers will be able to specify what information is available to the general public and what information is available to either all or specified registered users of this website.
These indicate that Common Grant Application is using the Secure Sockets Layer (SSL) security mechanism to ensure the security and privacy of your communications with our server. Encryption mechanisms are used to guard against others intercepting your data, data integrity mechanisms are used to ensure your information has not been tampered with and authentication mechanisms using digital certificates are used to ensure that you are really communicating with whom you believe to be communicating with (i.e. us). The SSL security mechanism is used for all services and all billing and payment transactions. All billing and credit card payment transactions additionally meet the Payment Card Industry (PCI) security standards. These standards have been designed by the credit card industry to ensure the security and privacy of your credit card information.
To turn on or enable cookies, follow the instructions at: Help -> Signing into Your Account - Cookies.
"Cookies" are small text files containing a string of alphanumeric characters sent to your computer that uniquely identifies your web browser. Cookies are not used for this websites Basic services. The Basic services are all of the things you can view and do without logging in. Cookies are required to login to the website for the Select or Complete services. We use cookies for the Select and Complete services to ensure security and allow our software to manage your visit.
We use two types of cookies when you login. One is a session cookie, which lasts from the time you click on the Login tab until the time you click on the Logout tab (or 90 minutes from your last activity on the site, whichever comes first). If you exit your browser without clicking on the Logout tab, and you return to the website within 30 minutes from your last activity, we will remember you and you will not have to login again. If 90 minutes have passed since your last activity, you will have to login again.
The other type of cookie is a persistent cookie. This type of cookie is only used if you check the "Remember Me" box on the Login tab. This cookie will either last for 14 days or until you click the Logout tab. If you exit your browser without clicking on the Logout tab, and you return to the website within 14 days, we will remember you and you will not have to login again. If 14 days have passed since your last login, or you clicked the Logout tab, you will have to login again.
Note: If you are using a public or shared computer, please make sure to click the Logout tab when you're done working with our site. This will ensure the privacy of your organization's account and data. For similar reasons, we do not recommend checking the "Remember me for 2 weeks" box if you are using a public or shared computer.
Cookies for our website may not work if they are not properly enabled on your Web browser.
We take the security of your credit card information very seriously. To that end, we have implemented a number of safeguards to protect this information. We use a variety of administrative, technical and physical measures to protect your personal information against unauthorized access, disclosure, alteration and destruction.
Your credit card information is only shared with our banking service provider and the credit card processor or bank that you have chosen in order to complete on-line payment of applicable fees. It is not shared with other users or third-parties. We do not store any sensitive information on our own servers - it is stored with our credit card processor service provider. We pass your credit card information to our credit card processor service provider the first time you submit it using the Secure Sockets Layer (SSL) security mechanism. At no time are any Common Grant Application personnel able to view a customer's complete credit card information. We store only a minimal amount of information (last 4 digits, type of card, and expiration date) about each transaction on our servers so that we may serve you if you contact us with questions about a transaction.
Our servers are hosted in Dallas, TX and elsewhere at data centers that host 100 of thousands of server blades with a wide range of backup, privacy, security, monitoring and performance options. The data centers are SSAE16 (SOC1) Compliant, which means there is 24/7 physical security of the data center and network operations center, integrated server hardening, regular full-time virus scanning and system patching and regular security review audits.
Backups of our server in Dallas are performed daily and transferred over a Virtual Private Network (VPN) to a backup server in Washington, DC. Backups of our other server are stored across multiple servers in a large cloud-based network.
We do not have any independently accredited security and service certificates, other than SSL certificates we maintain for secure access to our servers.
A brief description of our compliance to the separate articles of the European Union (EU) Data Protection Directive 95/46/EC is provided below.
| Article | Title | Description |
|---|---|---|
| 1 - 3 | Not applicable. | |
| 4 | National Law Applicable | This is a jurisdictional question that is complicated. We provide a Web-based service and are a processor and controller based in the United States. Invidivual grantmakers may be a combination of processors and controllers. Applicants are the data subjects. Please contact us for further discussion about this article. |
| 6 | Principles relating to data quality | The permitted and prohibited uses of our service are specified in Sections 2 and 3 of our User Agreement. All information in our system (other than some public information collected from taxing authorities) is provided and maintained by the data subjects (applicants and grantmakers). The data subjects can provide, review, change and delete any information in their account at any time. The only exception is that the information in an application that has been submitted to a grantmaker cannot be changed by the applicant, it can only be changed by the grantmaker. Some information, in the form of applications, is kept until both the applicant and grantmaker accounts that are associated with the application are closed and deleted. Other information, in the form of applicant and grantmaker account information is kept until accounts are closed and deleted. Applicants or grantmakers may close an account at any time by notifying Common Grant Application. |
| 7 | Criteria for making data processing legitimate | Applicants and grantmakers may not open an account unless they agree to our User Agreement and Privacy Policy, which as indicated in Article 6 specifies the uses for the personal information and how it may be processed. The exemptions we reserve for the disclosure of personal information are specified in Section 4 of our Privacy Policy. The permitted and prohibited uses of our service are specified in Sections 2 and 3 of our User Agreement. |
| 8 | The special categories of processing | It is possible that some collected personal information of the data subject may identify racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and or other characteristics of the data subject. The data subjects can provide, review, change and delete any of this information in their account at any time. We do not require or enforce appropriate processing guarantees from the foundation, associations or non-profits using our system. That is between the applicants and grantmakers using our system. |
| 9 | Processing of personal data and freedom of expression | Not applicable. |
| 10 | Information in cases of collection of data from the data subject | The identity of the controller, and the purpose are all indicated in our User Agreement and Privacy Policy. All applicants and grantmakers may easily contact the Common Grant Application directly by email or phone. |
| 11 | Information where the data have not been obtained from the data subject | The only case in which we collect information about a data subject that has not been obtained from the data subject is in the case of U.S. based non-profit organizations; we use their tax ID numbers to collect information from a publicly available taxing authority (i.e. IRS) database. This tax information may be included in the organizations account and application. The source of the information is indicated, and is not something that we have any ability to modify. |
| 12 | Right of access | All data subjects may directly access information by logging in to the system. Data subjects can provide, review, change and delete any information in their account at any time. Applicants or grantmakers may close an account at any time by notifying Common Grant Application. No automated decisions are made by our system. The grant decision process is entirely under the control of the grantmaker. We simply provide a service that facilitates and manages the grantmaking process between the applicant and grantmaker. We do not provide any personal information to any 3rd parties, other than billing information to our payment processor. Our payment processor does not have access to any personal information other than what is necessary to make a credit card charge. We push the information to them, they cannot pull any information from our system. Any change made by a data subject to their billing information is immediately communicated to the payment processor. |
| 13 | Exemptions and restrictions | The exemptions we reserve for the disclosure of personal information are specified in Section 4 of our Privacy Policy. |
| 14 | The data subject's right to object | We do not provide any personal information to any 3rd parties, other than billing information to our payment processor. We do not provide any information to 3rd party direct marketers. Applicants and grantmakers may individually configure email preferences that specify what system conditions will generate emails to their attention. |
| 15 | Automated individual decisions | Our systems do not make any automated decisions. |
| 16 | Confidentiality of processing | We do not provide any personal information to any 3rd parties, other than billing information to our payment processor. Our payment processor does not process information for billing purposes unless specifically requested to do so by our system. |
| 17 | Security of processing | The Common Grant Application uses only four 3rd party service providers. Our servers are hosted in Dallas, TX and elsewhere by two different service providers. Another service provider provides management services for one of our servers. All payment processing is performed by a service provider in San Francisco, CA. All four companies are very large service providers in their respective areas of expertise and have mature, well developed and well documented technical and organizational security measures to protect and keep personal information secure and private. |
| 18 | Obligation to notify the supervisory authority | We do not report to any supervisory authority. The location of the control and processing of the data subjects personal information is specified in Section 14 of our Privacy Policy. |
| 19 | Contents of notification | Not applicable. |
| 20 | Prior checking | We have not operated with any prior checking. |
| 21 | Publicizing of processing operations | Not applicable, we're not a member state. |
| 22 | Remedies | Not applicable, we're not a member state. |
| 232 | Liability | Not applicable, we're not a member state. |
| 24 | Sanctions | Not applicable, we're not a member state. |
| 25 | Principles | As mentioned in Article 4, we operate in a complicated jurisdictional environment. Please contact us for further discussion about this article. |
| 26 | Derogations | The location of the control and processing of the data subjects personal information is specified in Section 14 of our Privacy Policy. |
| 27 - 34 | Not applicable. |
If you are a User located in a European Union country, Iceland, Liechtenstein, Norway, or Switzerland and you provide us with your personal information, you are now afforded new widespread privacy rights under the General Data Protection Regulation (GDPR) effective May 25, 2018. Under the GDPR, new higher standards on what is considered the lawful processing of EU data are imposed; there are now more explicit privacy rights afforded to you; and there are now new accountability standards imposed on organizations that collect, handle, store and/or process your data. For purposes of GDPR the Common Grant Application is a data processor and its grantmakers are data controllers.
Under the GDPR, from the moment that we first collect your data, you are now afforded various new privacy rights, including but not necessarily limited to:
| Rights | Notes |
|---|---|
| The right to know who decided what personal data is being collected from you and the purpose behind doing so. | The Common Grant Application decides which personal data (currently name, country, email address for applicants and name, organization name, address, phone number, email address for grantmakers) is needed to open an account and to provide, maintain and administer the Web site services. The grantmaker decides entirely at their own discretion which required and optional personal data is needed to submit an application to the grantmaker. |
| The right to know each purpose and legal justification why your personal data is being collected and processed and why collecting and processing it is needed to accomplish the disclosed purpose(s). | The collection, use and disclosure of personal data is described in the section 2. Permitted Uses of the User Agreement and sections 2. Collection, 3. Use and 4. Our Disclosure of Your Information of the Privacy Policy. |
| The identity of all third-party recipients who are to receive your personal data. | The Common Grant Application uses only four 3rd party service providers. Our servers are hosted in Dallas, TX and elsewhere by two different service providers. Another service provider provides management services for one of our servers. All payment processing is performed by a service provider in San Francisco, CA. All four companies are very large service providers in their respective areas of expertise and have mature, well developed and well documented technical and organizational security measures to protect and keep personal information secure and private. |
| The right to know if your personal data is to be transferred out of the EU. | All personal data is collected and stored on servers located in the United States. Grantmakers that use the information may be located inside or outside of the United States. |
| The right to know how long your personal data will be stored and not to have it stored longer than needed to accomplish the stated purpose. | Account personal data is kept as long as the account is left open. Application personal data is kept as long as the application is not withdrawn or deleted, which can be for the lifetime of the grantmaker account. |
| The right to access, receive or correct your personal data at any time. | User management of personal data is described at Help -> Managing Personal Information - Overview. |
| The right to have your personal data erased (where there is no longer legal or necessary grounds to process or store your personal data). | User management of personal data is described at Help -> Managing Personal Information - Overview. |
| The right to have your personal data transferred to another at any time. | All applications can be exported at any time from the system by either printing a PDF or
generating a Zip file of the application and any associated documents. User management of personal data is described at Help -> Managing Personal Information - Overview. |
| The right to restrict or otherwise object to, the processing of your personal data at any time where your personal data is not accurate, where the processing is unlawful, where your personal data is no longer needed or where there is no longer good legitimate grounds to process your personal data. | The general policies of a user's management of their personal data is described in sections
9. Accessing, Reviewing and Changing Your Personal Information and
10. Removing Your Personal Information of the Privacy Policy. User management of personal data is described at Help -> Managing Personal Information - Overview. |
| The right to easily and conveniently withdraw your consent to the collection, handling, storage and/or processing of your personal data at any time and to complain to us and/or the appropriate EU "supervisory authorities" if you believe any of your rights are being violated. | |
| The right to know if you are being "profiled" or "monitored" or if certain decisions are being made automatically based on your personal data. | The Common Grant Application performs no profiling or monitoring, and makes no automatic decisions based on personal data. |
| The right to know and to have your personal data processed only for the purpose that you had provided explicit affirmative informed consent and not for any other purpose from which was either never disclosed to you or for a purpose which you never provided explicit affirmative informed consent. | |
| The right to know that all of the personal data that was collected, handled, stored and processed was needed in order to accomplish the purpose that you have affirmatively and explicitly consented. |
In general, the Common Grant Application complies with these rights.
We cannot guarantee forensic destruction of all information if applicant or grantmaker stops using our system. The Linux, Apache, mySQL and PHP (LAMP) environment is not conducive to the forensic destruction of information. If an account is closed we can guarantee future the information associated with the account will no longer be accessible from the public side of our website and that it will also not be accessible to users associated with the account. Information in an already submitted application will not be deleted until the accounts of both the applicant and the grantmaker associated with the application are closed.