How to Master Data Security for Nonprofits

Jennifer Garone, data security expert at Privacy by Design, and Bjorn Bjerkoe, CTO at Daxko, share hidden security risks nonprofits may not be aware of, the latest strategies for protecting against cyber threats, and Daxko’s approach to data security for nonprofits.

‍Guests

Jennifer Garone is an expert in security and privacy at Privacy by Design, previously Head of Privacy for Carnival Cruise Lines and data security expert at Microsoft.
Bjorn Bjerkoe is the Chief Technology Officer at Daxko.
Wendy White is the Chief Marketing Officer at Daxko.

Mentioned in the Webinar

Key Takeaways

4:11 – Trust is the Most Important Aspect of Data Security for Nonprofits

The most important thing about both of these concepts – privacy and security – which work together to form data protection, is trust. We want to trust our relationship with the people that we do business with.

Our donors, employees, the volunteers – the people who actually come in and use your facilities – and our members. They don't want to have to think about the trusted relationship, but they still expect that if they give you information that you are going to use it in the manner to which they expect it to be used and that it won't be lost or stolen because of carelessness or misuse. So, trust is so important, and having good privacy and data protection processes and programs in place really goes a long way towards helping to have that trusted relationship.

“We want to trust our relationship with the people that we do business with,” says Garone.

20:01 – Follow Best Practices and Prepare for Emergencies

As I said, make sure that your staff and volunteers are trained. Make it part of onboarding and repeat it every year. I'm sure there are some great resources where you can get training. Have a privacy policy and a notice that you abide by. A lot of companies have a privacy notice on their websites. Make sure that you're following yours. It's a good idea. Make sure you restrict access to data. Not everyone needs to have access to all the data. Know where your data is going, especially if you're processing the personal information of children.

If you have members and their children, this brings higher obligations. You need to get consent in order to process their information. Make sure you have an incident response plan. When something goes wrong, you need to be prepared to know who to call, how you're going to call them, and what you're going to do. Do you shut down systems? We had drills to ensure we knew what was happening with the ship. That's a massive thing, but you do have events and such to consider.

When something goes wrong, you need to be prepared,” says Garone.

25:30 – Commit to Being a Lifelong Learner

One of the big takeaways for me is that privacy and security is a very broad and deep topic, and it's an ever-evolving landscape. What we learn here today is a high-level overview. We won't be able to get into all the details of this right now. We have to commit ourselves to being lifelong learners in the space of privacy and security because the threats are getting more complex, and they're evolving. People are changing, and the concept of social engineering is changing the world.

It's a whole different approach. I find it significant that Jen called out the concept of linking data together to create next-level insights about people. These are things we maybe weren't thinking about as much 10 years ago, but the space is evolving. We need to become more intelligent about how we address security and privacy within our areas of responsibility, to ensure that trust does not erode and that we follow through on our obligation to be accountable for the information of our members and associations.

Full Transcript

Wendy: (00:21)

Ok. Good morning and welcome everybody to the Data Security Essentials webinar. This is Wendy White. I am the Chief Marketing Officer of Daxko and also have come from a long history of technology. Infrastructure and security is one of my favorite topics as a CMO. I can tell you that having a data breach or having a security issue with your product is not great for your brand, it’s not good for your customers, not good for your company. So, security is an area that I’m very interested in and take very seriously.

Wendy: (00:56)

Next slide please. I’m super happy to be joined today by Jennifer Garone. Jennifer is an expert in security and privacy, most recently Head of Privacy for Carnival Cruise Lines. But for about 10 years before that, a leading privacy and data security expert at Microsoft. And my own best bud here at Daxko, Bjorn Bjerkoe, who is our Chief Technology Officer. He’s got great insight into how we at Daxko are working to help keep our customers’ data secure and help safeguard their businesses. So, with that next slide, I would love to hand it over to Jen and let her take you through the landscape.

Jennifer: (1:46)

Great. Thank you so much. first thank you so much for having me today and for that warm welcome. I just also want to let everybody know that I've also been on the board of small nonprofits and also volunteer in my community. I was on the board of National Charity League or local chapter for a very long time. So, I have a lot of experience in both the commercial as well as nonprofit space.

Jennifer: (2:15)

So, I come here today to talk from that, you know both perspectives. Some of the things that we'd like to talk today about are really important and not always top of mind for people who do what you do. Privacy is about, you know, there's many different definitions of privacy. Of course, we have your typical notion of the right to privacy in your home, the right to privacy of your personal information, the right for privacy from the government, you know, so that there's not prying eyes. What we're talking about today, though, is privacy of how you use information. If I say this is how you can use my information, this is how we're going to use your information. Security is the protection of information. It is to ensure that it is not lost, stolen, otherwise misused. You could certainly have it, you cannot have it.

Jennifer: (3:21)

There are 10 principles of privacy, ok? And one of them is security, because you can't keep data private if you don't have security. But there's a lot of security that can happen and violating privacy, you know, that's a lot of what privacy advocates call for. Why they object to governments having access to data and stuff like that. Meanwhile, in some parts of the world, it's the government who has unfettered access to data, whereas they want to crack down on commercial entities. So, it is interesting, given the genesis of where privacy comes from out of World War 2. Next slide please, and feel free to ask questions in the chat at any time.

Jennifer: (4:11)

The most important thing though about both of these concepts, privacy and security, which really work together to form data protection, is trust. We want to trust our relationship with the people that we do business with. Our donors, employees, the volunteers – the people who actually come in and use your facilities – and our members. They don't want to have to think about the trusted relationship, but they still expect that if they give you information that you are going to use it in the manner to which they expect it to be used and that it won't be lost or stolen because of carelessness or misuse. So, trust is so important, and having good privacy and data protection processes and programs in place really go a long way towards helping to have that trusted relationship.

Jennifer: (5:15)

So, what is personal information? Many different states are starting to have privacy laws. In the past, it was sectoral privacy laws. Data protection like HIPAA is not just about privacy, it is about security and the electronic health records that that come with that. But it's everything from your name, from your first and last name, and that's a low, low impact personal piece of personal information. If it's lost to your date of birth, which in the state of Washington, if that is lost and North Dakota, that is notifiable to the person whose date of birth was breached, to religious affiliation and of course everybody's favorite social security number. But there's different laws and requirements based upon all these different things.

Jennifer: (6:06)

There's also this notion that's coming into place where it's not just about having one piece of information, it is about linking together information. So, if you look at the four, you know, speakers, right? We have Wendy, Bjorn, and myself. Now without saying anything, there is a person who is not wearing glasses and immediately you know who it is. Or there's a female wearing glasses and you immediately know who it is. And so that's the notion of linking information to be able to form a profile to identify somebody. So, we really need to be very careful about how we collect store process, share this personal information. Next slide please.

Jennifer: (6:58)

Every day there is a data breach happening. Some are small such as sending an e-mail with personal information to the wrong recipient, to a ransomware attack like the YMCA of Charlotte faced, to an online hack like Goodwill faced, or when you have a service provider such as the one down in Florida who was hacked. These are some big expensive breaches.

Jennifer: (7:32)

When I worked at Carnival, I started there in 2018. About six weeks after I started there was a breach. It was a vendor. They had left a port open in an online CRM database to be able to do some testing while they were at home, and that got breached and there was a ransomware attack. So, two phishing attacks. Carnival has been subject to at least three phishing attacks since I started there that we knew about. And those are very, very expensive things.

Jennifer: (8:12)

Our event in March of 2019, Carnival spent over $25,000,000, including fines and legal fees and notification fees and the like. So, that was a big company, right? So, you guys, being nonprofits doesn't change your risk pattern. You are still at risk of being attacked as the target of a phishing attack. You might not lose as much information, but it will still wreak havoc with your budget if you get breached.

Jennifer: (8:52)

And so there are very simple things that can be done in order for you to ensure that you're not breached. And we really want to give you some suggestions. I have on here you see that snippet of Have I Been PWNED. You can go to that website, by the way, and enter your e-mail address, any e-mail address you want, and you could see where that e-mail address has been part of a breach. I do it once in a while just for fun. I have a bunch of e-mail addresses, but it's a good way to see if you need to change your e-mail addresses. Do you maybe need to change your passwords and the like?

Jennifer: (9:32)

But you know, I hate to say it, but nonprofits are not immune from being hacked and from losing data. Now I did see some facts the other day that did show that the numbers are going down or the trend is going down, but that doesn't mean that you should be sitting back and just saying, oh, I can't think about whether or not I'm going to send some data securely. I'm just going to attach it to this e-mail and send it unencrypted. That puts you at risk, so always be mindful of it. Next slide please.

Jennifer: (10:10)

So, what I just want to talk at a high level about some of the key aspects, but I think one of the most important ones on this slide is the one in the bottom right corner, accountability. We can give, you know give notice, have a privacy notice on our websites, file can't spam when we're sending emails, stuff like that, making sure that we only use information in the way that we've been given permission as outlined in our notice or we've been given consent. For example, you can't send a text message without opting consent. Otherwise, that could be a legal issue. So there's a lot of different things that you could do.

Jennifer: (10:54)

Data quality, you can see, is one of the more used to be to me, one of the more nebulous things about data protection. But it's actually increased because with data quality, if you don't have good data quality, you can't leverage that information to get more donors or to serve your population. So, having good data and making sure that you have things spelled correctly and in the right e-mail addresses and the right consent it's stored and the like is really important.

Jennifer: (11:31)

But accountability at the end of the day is really the big thing. We all need to ensure that when we have new people who join us on our teams that they're aware of what your ethics are and how you want them to handle data. I worked at a big bank a long time ago before I was in privacy and I remember we had a hockey player who had accounts. And you know somebody said, hey come here, I want to show you where so and so keeps all their money. Can you believe they're just keeping it in a savings account? And they showed it to us and I was like ok, that's a lack of accountability. That probably was the first thing that started me to think about getting into data protection.

Jennifer: (12:24)

But that that needs to come from leadership to say we don't do that. We don't go and look up members and our databases without having a clear business purpose. We make sure that only people who have a business purpose have access to information. We ensure that we get rid of data that we no longer need.

Jennifer: (12:48)

One of my favorite examples is that I was talking with the marketing people at my prior company and they like to keep data about former passengers for a very long time. So, I said, why don't you pull up this person and let's see when's the last time they sailed with us? And we did. And it showed that they had last sailed in 2005. And I said, ok, so why won't you delete somebody like that? Because they haven't sailed with us in in 10 years, almost 20 years. And they're like, Oh, well, you know, they might sail again. I said, but they won't. She died. She died in 2007.

Jennifer: (13:27)

And so you need to have good retention policies in place so that you know when somebody is no longer going to be a customer of yours and the person I'm talking about is my mother. I do like to give this example and because it is the ultimate that people like to hold on to information for a very long time because they think there might be a value. But you need to have clear expectations about when's the last time they actually bought from you, did they move, are they deceased? There are so many different things. Having that data just hanging around could lead to you losing it or having a breach and that is less optimal than just deleting it when you no longer need it. So, these are the types of accountability measures that you need to have in place to ensure that you are having that trusting relationship with your user population. Next slide please.

Jennifer: (14:36)

The risk that we all face with the processing of personal information and other things is high. There's reputational risk. Clorox had a breach recently and they're seeing hits to their stock price. There's evidence that shows that when somebody's breached that they lose customers. There's financial cost, right? I told you about some of the breaches that we've had at my prior employer. I would say that in total we probably spent $75 million during a period when we were making no money because we were shut down because of COVID. Those are real implications. Now the likelihood of that has gone down because they've increased their technology, they've spent more money and stuff like that. But if they had been proactive, they probably wouldn't have had to.

Jennifer: (15:33)

They had a real technology deficit and were trying to lean on human cost as far as people to look at alerts and stuff like that. And they ended up having to pay fines to regulators. 46 state attorney generals and the New York State Department of Financial Services fined Carnival for their practices. And so, these are risks that they were willing to take. Other companies and other and other entities they accept the same risk. Google is notorious for that, whereas Microsoft, they like to be more proactive and mitigate those risks. So, there's different approaches that you can take. But sometimes, what's the old saying? An ounce of prevention is worth a pound of cure.

Jennifer: (16:27)

And I really like to emphasize that there are simple steps that can be taken. You know when we had our breach for one of our big phishing breaches, we found a lot of spreadsheets in emails that were not password protected. The simple act of encrypting an e-mail and Outlook. And you know there's different tools that allow you to easily just encrypt an e-mail or password protected an attachment like where the password is not actually in the e-mail. That e-mail does not have to be counted towards a breach. There are simple, simple steps that we can all take to prevent risks from these risks that can happen to all of us. Next slide please.

Jennifer: (17:25)

I'm not going to do a deep dive into this, but a lot of states are regulating based on the size of the entity. Some have a much lower threshold for the size of an entity, and they still have expectations about how you're going to handle it. California was our forefather, our founding father as far as privacy regulations go. Now, there are probably many states that have regulations, and they're all based on the same principles. Those notions that I had on slide 22 slides ago, which are notice, choice, consent, accountability, stuff like that. If you have a website, for example, and you're dropping cookies, you need to be clear about where the data you collect through those cookies is going. So, there are a lot of states now that are further beyond this.

Jennifer: (18:21)

And Washington state actually has a healthcare law that is directly about privacy. It's in response to the Dobbs decision by the Supreme Court last year about healthcare privacy, and it brings into account a lot of different people now at Carnival. They were not subject to HIPAA, except for some specific things like clinics on ships and an office here in Seattle. But some of the things in the Washington healthcare law we were looking at closely because we needed to be sure that, even though we're not subject to HIPAA and the ships were flagged in the Netherlands, for example, for Holland America or Bermuda, there were still aspects of that law that we needed to look at closely. So, you might want to take a look and see where you might want to think about, even if you're not in scope. For example, a lot of them say you need to have $25,000,000 or more in revenue in the state and blah blah blah.

Jennifer: (19:28)

It's still good practice for you to establish trust. I probably wouldn't want to do business with a nonprofit that doesn't protect my personal information in the same way that I would protect my own. We're going to share some of these slides with you so that you can have a high-level understanding.

Jennifer: (20:01)

Jennifer: (20:42)

Jennifer: (21:18)

You need to be prepared, like MGM Grand in Vegas. They had a breach and had to manually check in people because they did not have access to their systems. Are you prepared to do that? If your computers don't work and you have someone in front of you who wants to take swimming lessons, but their card doesn't work because you've had a breach, what are you going to do? Have you thought about that? Maybe you should spend some time thinking about it. And again, always use a secure file transfer method.

Jennifer: (21:51)

Don't email personal information that isn't encrypted or doesn't have a password. And never send the password in the same email. We like to always use a standard password, like the ship name and date or port name and date, so that you don't have to send it via email, which ruins the protection. So, thank you very much. If you have any questions, I will be staying on to answer them. Thank you.

Wendy: (22:32)

We’re skipping through these best practices slides. So, are we going to skip past those to Bjorn?

Bjorn: (22:37)

Yes, please.

Wendy: (22:38)

Let's move ahead then, Sara. Alright. While we are doing that, we will take some questions at the end. So please feel free to think about your questions for Jen. They can be specific as well, so drop them in. And I will say, Jen, the emailing of PII, as a marketing executive, is one issue I have encountered in almost every team I've ever managed. It's because people don't always understand what PII could be, something as simple as your email address, for example, in some states. That really caught me when you were speaking, because I've seen it in my day job. And I can 100% guarantee that probably everyone on the call has seen it too. "Oh, send me over that program registration. Send me this file or that file." I don't think folks have quite realized the risk they're putting themselves at.

Jennifer: (23:35)

And yes, you're right. One of the best practices I mentioned was about data minimization. You can send over a spreadsheet with low-risk information like first name, last name, maybe email address or zip code. Once you start adding sensitive information that you don't need to be sending, that's when it becomes really bad. I have seen many spreadsheets where marketers ask me if it's okay to send this file to a third party. I always ask, "Why are you sending that information? Is that piece of information relevant for the purposes for which you're sharing it?" And they realize it's not necessary and take it out.

Jennifer: (24:23)

I'm a reformed marketer, having spent the first 10 years of my career in direct marketing. I'm fully aware of the value of data for generating responses, sales, and donations. It's not that I don't come at it from a business mindset, but sometimes we need to stop and ask, "Do I really need to send that?" Often, the answer is no. So, thank you, Wendy.

Wendy: (24:55)

You’re welcome. Alright. One of the points Jen mentioned in her talk was how Carnival significantly improved their technology posture around data and security. I thought it would be beneficial to complement Jen's chat today by inviting Bjorn to discuss how we are helping our customers ensure a secure data posture and protect their data. So, I'll turn it over to Bjorn, and he'll talk you through a little bit about what Daxko is doing.

Bjorn: (25:23)

Yeah, thanks Wendy. I just wanted to quickly comment on a few things that Jen talked about. One of the big takeaways for me is that privacy and security is a very broad and deep topic, and it's an ever-evolving landscape. What we learn here today is a high-level overview. We won't be able to get into all the details of this right now. We have to commit ourselves to being lifelong learners in the space of privacy and security because the threats are getting more complex, and they're evolving. People are changing, and the concept of social engineering is changing the world.

Bjorn: (26:01)

Bjorn: (26:45)

Obviously, when you put your data in the hands of Daxko, we must be accountable for it and we take that very seriously. I am excited to talk to you a bit about how we think about safeguarding your data at Daxko. While I can't cover everything, I want to give you a high-level overview of our approach to ensuring the security of your data. We take this responsibility extremely seriously and feel a deep obligation to ensure that your data is secure with us.

Bjorn: (27:10)

Let me start by talking about data in general. Data is at the very heart of everything we do across the different entities we are responsible for. Think about the services you're offering and the experiences you're trying to create. As we use this data and find innovative ways of working with it, we ultimately find ourselves inventing new things and shaping the future we want to create within our associations. How we treat that data and how seriously we safeguard it is absolutely critical to the operations of everything we do here at Daxko, as well as everything you do at your association.

Bjorn: (27:58)

In the spirit of obligation, we at Daxko are laser-focused on three guiding principles that we consider non-negotiable. First and foremost is security. As Jen discussed, your data must be secured at all times and in all places. We think about data in its various states. Data exists at rest when it's not in motion, not traveling between devices or networks, and is just sitting there. It must be secure at rest. Also, we consider data in transit, when it's moving from one point to another. It must stay secure while in transit. And then, data in use, when it's being accessed, processed, or updated by a user, process, or service. We secure data in all of its states using various mechanisms. These include firewalls, authentication, authorization, backups, resiliency, encryption, etc. These measures allow us to secure the various elements of data within the Daxko ecosystem in its different states. That's our number one guiding principle: doing everything we can to ensure it's secure in all of its states.

Bjorn: (29:21)

The second guiding principle is access. Data must be accessible. If data is inaccessible, what's the point in having it? We need to have access to that data. As Jen pointed out, access should be restricted to those who need it, but it should still be easy. We build our software, processes, policies, and restrictions in such a way that it's secure yet still remains easily accessible for those who need it to do their jobs. That is a critical guiding principle as it relates to managing and safeguarding your data. The third guiding principle, and certainly not the least, is that your data needs to stay under your control. You retain full control over how it's accessed, what is accessed, and who is accessing it. Thus, we emphasize the importance of you staying in control.

Bjorn: (30:17)

The data must be secure, must be accessible for the purposes for which we are gathering it in a secure fashion, and must remain under your control. These are the guiding principles we live by at Daxko as we safeguard your data. We've talked about how we're doing this in terms of physical and virtual security, including firewalls, backups, resilience, encryption, and so forth. When working with partners, as your data flows between systems, we need to ensure these principles are upheld.

Bjorn: (30:53)

To achieve this, we've developed a platform called the Daxko Exchange. It's a robust partner management platform built on API Gateway technology, allowing us to enforce security protocols and access parameters under your direct control. This platform gives us additional abilities to manage the flow of data as you would want. The first ability we get through this platform is to limit what endpoints a partner is allowed to access. It provides limiting capabilities to specify which data is sent to which partner. For example, sending one piece of data to one partner, three pieces to another, and ten pieces to yet another partner.

Bjorn: (31:42)

If at any point you are unhappy with how your data is being used, we can turn it off. We create restrictions that allow us to limit and control how your data is accessed, and this control is in your hands. The second thing this platform allows us to do is monitor everything. We track what data is going where, who is accessing what, and if someone is accessing too much or doing something unexpected. The level of monitoring built into this platform ensures we know everything that's happening with your data as you work with partners. We have the ability to limit and monitor, and the third capability this platform provides, based on our guiding principles of secure access and control, is throttling.

Bjorn: (32:45)

When dealing with data, the ability to throttle the flow is essential. Sometimes a partner may try to pull too much data or do so too frequently, which can negatively impact your platform or have downstream effects throughout your system. Having the ability to throttle the throughput or flow of data is critical when managing partners and a partner platform.

Bjorn: (33:17)

Beyond our guiding principles, we add three more layers of control to ensure that your data is safeguarded to the highest degree possible. To date, we have 104 partners on this platform, some of which may be familiar to you, as seen on the screen. Each partner has been vetted and agreed to adhere to Daxko's data sharing standards. This includes a signed agreement with you and the partner that grants them access to the data but also prevents them from sharing or selling the data once they've received it, which is crucial.

Bjorn: (34:01)

Furthermore, each partner agrees to use standard data encryption practices while working with your data. So, what does this look like in practice? I want to make it clear that this is available to everyone on a Daxko platform. If you want access to the Daxko Exchange, let us know. There's a login ready for you to use. Some of you may already be using this. When you log into the Daxko Exchange, you'll see what looks like a marketplace or an App Store, showing the different partnerships within your ecosystem.

Bjorn: (34:48)

In this example, you see Jim Pass, Daxko Data Cleansing, and the Alaris and Y 360 integrations, all of which are active. If you want to know more about one of these integrations, for instance, Alaris, you simply click on it to see what the Alaris integration entails. You'll get all the information about Alaris: who they are, what they do, and what data elements they are accessing. If you're unhappy with any aspect of this and don't want it to work the way it's currently set up, we can turn these off. For example, if you didn't realize the Alaris integration was active and want to disable it, or even within the Alaris integration, you might decide you don't want to send schedule information to Alaris and choose to turn that off.

Bjorn: (35:42)

So again, you have control right at your fingertips to manage partnerships as you see fit. Let's return to the landing page and scroll down a bit. As you do, within the Daxko Exchange, you'll come across integrations and partners that are not active in your ecosystem, such as EPAC, Weld Motion Vibe, and others. These integrations or partners might be ones you're not currently doing business with, but you can explore them in the spirit of a marketplace or an App Store. By clicking on those that are not active, you can gather more information about them. For instance, if we click on Weld, a screen pops up providing all the information about Weld: who they are, what data they want access to, and what they would be doing within your system. You can explore this information, and as you scroll to the bottom, it provides a comprehensive overview of the exact data that Weld would access in your system, such as demographics, check-ins, membership conversions, and more.

Bjorn: (36:43)

You might find that you like what Weld is offering and are comfortable with them accessing certain data elements. If you want to activate this integration, it's as simple as making a phone call to Daxko. All of this is at your fingertips, allowing you to control the flow of data with partners as you see fit and ensuring nothing goes in or out of your system without your consent.

Bjorn: (37:08)

Let's bring this full circle: secure access control. It's your data, and you're in control. At Daxko, we take our obligation extremely seriously. While I can't cover everything in a security and privacy session, we have authored a security white paper that covers all the topics discussed today, along with other best practices in information security, risk management, compliance, data ownership, stewardship, and software system security architecture. As we build software, we are embedding security into it from the foundation, reflecting a security mindset from the start. This security white paper will be shared with you, giving a deeper insight into how we approach security at Daxko. Lastly, I want to assure you that the Daxko team is here to help.

Bjorn: (38:23)

If you need help with security data or have any questions, please don't hesitate to reach out to us. We're here to help. We have teams dedicated to ensuring that these guiding principles and various practices are adhered to and enforced here at Daxko. We would love to assist you on your journey as well. Thank you for your time and for listening to us today.

Wendy: (38:44)

Thank you so much. I'm excited to see so much about our Daxko Exchange partners and to hear the emphasis on the fact that the Y remains in control of their data. Their data is their data, and it's our role to safeguard it. I just want to reiterate that message. If you have a question, please feel free to pop it into the chat now. Bjorn has mentioned he's here to help. Also, Jen has recently started a consulting practice, so if anyone wants her contact information, we're happy to provide it.

Wendy: (39:29)

This is your last chance to ask any questions today before we send off some best practices and the security paper immediately following this webinar. Just drop your question in the chat, or you can use the hand raise feature to speak directly into the webinar. We'll happily bring you onto the screen.

Jennifer: (39:51)

I'm also happy to go back and do the best practices slides. I just wanted to be sure that we had enough time for everybody. So, if we'd like to do that we can or if we want to give people back time in their day that's also good as well.

Wendy: (40:04)

We'll send out the security white paper along with the slide deck so you can read them and reach out with any questions. It doesn't seem like anyone's raising their hand to ask a question. Oh, there's a comment mentioning Squarespace hosting a website and Daxko being displayed using an iframe. Thank you for that information. I'm not sure if that's a question or just a statement, but if you need guidance on embedding Squarespace, that's an interesting topic we can discuss.

Jennifer: (40:37)

They have common terms that they give to everybody. If you were a large company, you might be able to negotiate, but typically in an environment like this, for example, I have worked with and for some very large companies, and there are just certain companies you can't negotiate with or vet. It would probably be difficult for you to do that with Squarespace. However, you could ask Squarespace to ensure there's a place for you to put your own privacy notice on the page, as it's you who are collecting the data, not Squarespace. Another option is to ask them for their ISO certifications and other cybersecurity credentials. They probably also have a trust center online where you can vet these. Companies like Squarespace often provide the tools you need to be compliant and do your own research. Are you comfortable with them?

Wendy: (41:54)

I'm going to suggest an alternative to that. You may not know that Daxko can host and manage your website. When you opt for this, you get access to a library of Daxko plugins that display information from Daxko OPS directly onto your website. This could be a good alternative for you, and we're happy to talk to you about it and help you out. Moving on to the next question about credit card processors other than Daxko.

Bjorn: (42:37)

Just to clarify regarding the question about the Daxko Exchange, I understand there might be some confusion because I used the term "vetted" in relation to our partner program. Squarespace would not be consuming data directly from Daxko ecosystems to host your website. Therefore, in the context of the Daxko Exchange ecosystems, Squarespace would not need to be vetted as a partner.

Wendy: (42:48)

Yep, yep, yep.

Bjorn: (42:49)

Life itself is embedded within there is secured.

Wendy: (42:54)

Yeah. I suggested alternatives to using a generic platform like Squarespace for hosting websites, which might be something to consider. Moving on to the next question, which is really suited for you, Jen. It's about selecting credit card processors. The question is: What sort of questions should we ask any vendor, including a credit card processor, about data security? And Bjorn, if you could also weigh in a bit about PCI compliance as well. What are the key questions to ask a vendor about data security?

Jennifer: (43:29)

When it comes to selecting a credit card processor, there are several important questions to ask. The primary one is: Are they PCI compliant, and can they provide certifications to prove it? Choosing a reputable processor is also crucial. Opt for a well-known name like Square or one of the big banks, especially if you don't have the time or resources for a full third-party risk management program. Asking about PCI compliance is probably the easiest and most direct way to assess their data security standards.

Bjorn: (44:10)

Yeah, I mean that would be my same answer because compliance is a full-blown regulatory process that they're going to have to go through where they have addressed all the potential concerns that may exist within the world of credit card processing. So, you can ask for their certificate of compliance and as long as you can receive that from them, they should be a vetted and appropriate to do business with third party.

Wendy: (44:39)

Yep, very good.

Bjorn: (44:40)

If they cannot produce a certificate of compliance, then you should definitely not do business with them.

Wendy: (44:45)

Yeah. Walk away. Alright. Last thoughts. Anybody have additional questions? Nope.

Bjorn: (44:57)

Looks like we've got one in the queue. It's in a different section. It's not in the chat, but it's in the Q&A.

Wendy: (45:04)

Oh, OK. I see it over there. Are there any security recommendations that you can offer in regards to using credit card readers with Daxko Operations?

Bjorn: (45:19)

I mean, again those readers would be communicating should be communicating through a PCI compliant third party whether that's us or whoever you're doing business with.

Wendy: (45:32)

The answer here really relates to the tokenization of the credit card reader back to our system. There's a good opportunity to consult with our payments team about which credit card processors are integrated into the Daxko payments system and ensure they're part of our ecosystem. You can quickly reach out to our support team to confirm this.

Bjorn: (46:08)

Agreed.

Wendy: (46:10)

Yep, and look at that. I had some answers here on the Q&A on this topic with our experts. Ok. I want to say thank you again to Jen and Bjorn for taking the time today. We will be sending out the webinar, the best practices, and the data security white paper to the group after this call. I really want to thank everyone for your time. Have a great afternoon.

Jenn: (46:38)

Thank you.

Bjorn: (46:39)

Thank you.

Jenn: (46:40)

Bye, bye.

Wendy: (46:48)

Alright, thanks, Jen.

Jenn: (46:51)

Thank you. Thanks for having me.