Specifications - Security and Privacy

How do I get my forgotten password?

If you don't remember your password you may request an automatic resending of the password from the Login page by clicking on the "Forgot Password?" link. The password will be sent to the email address associated with the user account.

How do I get my forgotten user name?

If you don't remember your user name please contact us for further assistance.

What are your user and privacy policies?

Our user agreement and privacy policies are posted on the website. The links to the policies may be found in the footer of any website page.

Does the system offer password protected accounts?

Secure password protected access is supported for every user account in the system. All passwords are stored in our database as hashes. At no time are any Common Grant Application personnel or others able to view any password. The user specifies their own user name and password when they register an account. The user may change their user name or password at their discretion.

Who can access the organization's account information?

Applicants cannot access other applicant or grantmaker accounts and grantmakers cannot access other grantmaker or applicant accounts. Users within the same account (e.g. owner, administrator, reviewer, etc.) can access and change information within their own organization's account based on their particular access permissions.

Who can access applications that have been submitted to a grantmaker?

Applications between an applicant and a grantmaker can only be seen by that applicant and grantmaker pair, that is, no other applicants or grantmakers can see the application. There is one exception, grantmakers can configure a privacy option to share or not share on the statistics page a short summary version of each application that has been submitted to the grantmaker. The short summary includes the applicant name, city, state, country, grant cycle, type, cause and whether the application was approved, not approved or pending.

How can I control access to my information?

Applicants and grantmakers will be able to specify what information is available to the general public and what information is available to either all or specified registered users of this website.

Why does "https" or the image of a padlock appear in my browser input area?

These indicate that Common Grant Application is using the Secure Sockets Layer (SSL) security mechanism to ensure the security and privacy of your communications with our server. Encryption mechanisms are used to guard against others intercepting your data, data integrity mechanisms are used to ensure your information has not been tampered with and authentication mechanisms using digital certificates are used to ensure that you are really communicating with whom you believe to be communicating with (i.e. us). The SSL security mechanism is used for all services and all billing and payment transactions. All billing and credit card payment transactions additionally meet the Payment Card Industry (PCI) security standards. These standards have been designed by the credit card industry to ensure the security and privacy of your credit card information.

How do I turn on or enable cookies?

To turn on or enable cookies, follow the instructions at: Help -> Signing into Your Account - Cookies.

How do cookies work on this website?

"Cookies" are small text files containing a string of alphanumeric characters sent to your computer that uniquely identifies your web browser. Cookies are not used for this websites Basic services. The Basic services are all of the things you can view and do without logging in. Cookies are required to login to the website for the Select or Complete services. We use cookies for the Select and Complete services to ensure security and allow our software to manage your visit.

We use two types of cookies when you login. One is a session cookie, which lasts from the time you click on the Login tab until the time you click on the Logout tab (or 90 minutes from your last activity on the site, whichever comes first). If you exit your browser without clicking on the Logout tab, and you return to the website within 30 minutes from your last activity, we will remember you and you will not have to login again. If 90 minutes have passed since your last activity, you will have to login again.

The other type of cookie is a persistent cookie. This type of cookie is only used if you check the "Remember Me" box on the Login tab. This cookie will either last for 14 days or until you click the Logout tab. If you exit your browser without clicking on the Logout tab, and you return to the website within 14 days, we will remember you and you will not have to login again. If 14 days have passed since your last login, or you clicked the Logout tab, you will have to login again.

Note: If you are using a public or shared computer, please make sure to click the Logout tab when you're done working with our site. This will ensure the privacy of your organization's account and data. For similar reasons, we do not recommend checking the "Remember me for 2 weeks" box if you are using a public or shared computer.

Cookies for our website may not work if they are not properly enabled on your Web browser.

What steps does the Common Grant Application take to safeguard my credit card information?

We take the security of your credit card information very seriously. To that end, we have implemented a number of safeguards to protect this information. We use a variety of administrative, technical and physical measures to protect your personal information against unauthorized access, disclosure, alteration and destruction.

Your credit card information is only shared with our banking service provider and the credit card processor or bank that you have chosen in order to complete on-line payment of applicable fees. It is not shared with other users or third-parties. We do not store any sensitive information on our own servers - it is stored with our credit card processor service provider. We pass your credit card information to our credit card processor service provider the first time you submit it using the Secure Sockets Layer (SSL) security mechanism. At no time are any Common Grant Application personnel able to view a customer's complete credit card information. We store only a minimal amount of information (last 4 digits, type of card, and expiration date) about each transaction on our servers so that we may serve you if you contact us with questions about a transaction.

How are Common Grant Application servers secured?

Our server is hosted in Dallas at a data center that hosts over 150,000 server blades with a wide range of backup, privacy, security, monitoring and performance options. The data center is SSAE16 (SOC1) Compliant, which means there is 24/7 physical security of the data center and network operations center, integrated server hardening, regular full-time virus scanning and system patching and regular security review audits.

How are backups secured?

Backups of our server in Dallas are performed daily and transferred over a Virtual Private Network (VPN) to a backup server in Washington, DC.

Does the Common Grant Application have any independently accredited security certificates?

We do not have any independently accredited security and service certificates, other than SSL certificates we maintain for secure access to our servers.

Does the Common Grant Application comply with the European Union (EU) Data Protection Directive 95/46/EC?

A brief description of our compliance to the separate articles of the European Union (EU) Data Protection Directive 95/46/EC is provided below.

Article Title Description
1 - 3   Not applicable.
4 National Law Applicable This is a jurisdictional question that is complicated. We provide a Web-based service and are a processor and controller based in the United States. Invidivual grantmakers may be a combination of processors and controllers. Applicants are the data subjects. Please contact us for further discussion about this article.
6 Principles relating to data quality The permitted and prohibited uses of our service are specified in Sections 2 and 3 of our User Agreement.

All information in our system (other than some public information collected from taxing authorities) is provided and maintained by the data subjects (applicants and grantmakers). The data subjects can provide, review, change and delete any information in their account at any time. The only exception is that the information in an application that has been submitted to a grantmaker cannot be changed by the applicant, it can only be changed by the grantmaker.

Some information, in the form of applications, is kept until both the applicant and grantmaker accounts that are associated with the application are closed and deleted.

Other information, in the form of applicant and grantmaker account information is kept until accounts are closed and deleted. Applicants or grantmakers may close an account at any time by notifying Common Grant Application.
7 Criteria for making data processing legitimate Applicants and grantmakers may not open an account unless they agree to our User Agreement and Privacy Policy, which as indicated in Article 6 specifies the uses for the personal information and how it may be processed. The exemptions we reserve for the disclosure of personal information are specified in Section 4 of our Privacy Policy. The permitted and prohibited uses of our service are specified in Sections 2 and 3 of our User Agreement.
8 The special categories of processing It is possible that some collected personal information of the data subject may identify racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and or other characteristics of the data subject. The data subjects can provide, review, change and delete any of this information in their account at any time. We do not require or enforce appropriate processing guarantees from the foundation, associations or non-profits using our system. That is between the applicants and grantmakers using our system.
9 Processing of personal data and freedom of expression Not applicable.
10 Information in cases of collection of data from the data subject The identity of the controller, and the purpose are all indicated in our User Agreement and Privacy Policy. All applicants and grantmakers may easily contact the Common Grant Application directly by email or phone.
11 Information where the data have not been obtained from the data subject The only case in which we collect information about a data subject that has not been obtained from the data subject is in the case of U.S. based non-profit organizations; we use their tax ID numbers to collect information from a publicly available taxing authority (i.e. IRS) database. This tax information may be included in the organizations account and application. The source of the information is indicated, and is not something that we have any ability to modify.
12 Right of access All data subjects may directly access information by logging in to the system. Data subjects can provide, review, change and delete any information in their account at any time. Applicants or grantmakers may close an account at any time by notifying Common Grant Application.

No automated decisions are made by our system. The grant decision process is entirely under the control of the grantmaker. We simply provide a service that facilitates and manages the grantmaking process between the applicant and grantmaker.

We do not provide any personal information to any 3rd parties, other than billing information to our payment processor. Our payment processor does not have access to any personal information other than what is necessary to make a credit card charge. We push the information to them, they cannot pull any information from our system. Any change made by a data subject to their billing information is immediately communicated to the payment processor.
13 Exemptions and restrictions The exemptions we reserve for the disclosure of personal information are specified in Section 4 of our Privacy Policy.
14 The data subject's right to object We do not provide any personal information to any 3rd parties, other than billing information to our payment processor. We do not provide any information to 3rd party direct marketers. Applicants and grantmakers may individually configure email preferences that specify what system conditions will generate emails to their attention.
15 Automated individual decisions Our systems do not make any automated decisions.
16 Confidentiality of processing We do not provide any personal information to any 3rd parties, other than billing information to our payment processor. Our payment processor does not process information for billing purposes unless specifically requested to do so by our system.
17 Security of processing Common Grant Application uses only two 3rd party service provides. Our servers are hosted in Dallas, TX. All payment processing is performed in San Francisco, CA. Both companies are very large service providers in their respective areas of expertise. They both have mature, well developed and well documented technical and organizational security measures to protect and keep personal information secure and private.
18 Obligation to notify the supervisory authority We do not report to any supervisory authority. The location of the control and processing of the data subjects personal information is specified in Section 14 of our Privacy Policy.
19 Contents of notification Not applicable.
20 Prior checking We have not operated with any prior checking.
21 Publicizing of processing operations Not applicable, we're not a member state.
22 Remedies Not applicable, we're not a member state.
232 Liability Not applicable, we're not a member state.
24 Sanctions Not applicable, we're not a member state.
25 Principles As mentioned in Article 4, we operate in a complicated jurisdictional environment. Please contact us for further discussion about this article.
26 Derogations The location of the control and processing of the data subjects personal information is specified in Section 14 of our Privacy Policy.
27 - 34   Not applicable.

Does the Common Grant Application comply with the European Union (EU) General Data Protection Regulation (GDPR)?

The European Union (EU) General Data Protection Regulation (GDPR) is a work in progress and depending on when it is adopted won't take effect until 2016 or so. We do not make any explicit claims to supporting or not supporting the GDPR at this time.

Can you guarantee forensic destruction of information in your system?

We cannot guarantee forensic destruction of all information if applicant or grantmaker stops using our system. The Linux, Apache, mySQL and PHP (LAMP) environment is not conducive to the forensic destruction of information. If an account is closed we can guarantee future the information associated with the account will no longer be accessible from the public side of our website and that it will also not be accessible to users associated with the account. Information in an already submitted application will not be deleted until the accounts of both the applicant and the grantmaker associated with the application are closed.