Donorfy Security

We're serious about security.

Security is as important to us as it is to you.

This page describes the measures we take to ensure that Donorfy is a secure place for your data.

Donorfy holds the ISO 27001 and 9001 standards. This provides independent verification of our security measures and processes.

Security and data protection go hand-in-hand. Click here for the Data Protection page.

Security (2)

Solution Architecture

Donorfy is Software-as-a-Service, running on Microsoft Azure’s Platform-as-a-Service (read more) which securely:

  • hosts and delivers the software - which means the Donorfy web app, Forms, the API, the Data Service etc
  • hosts the data

Microsoft Azure is a global cloud computing service. It has a network of data centres. Donorfy is hosted in the North Europe data centre, which is located in Dublin, Republic of Ireland.

Enterprise clients can choose the data centre in which they would like their data to reside “at rest”. Regardless of the data residency, it is still processed by the software in the North Europe data centre.

Using the Azure platform means Donorfy is protected by Microsoft Defender for Cloud - this means Donorfy is continually monitored to detect unusual and potentially suspicious activity and risks can be Identified and suitable recommendations made.

Organisational and personnel

Donorfy Security Group

We believe that security is not just the responsibility of the product development team, it is company-wide. Therefore we have established a cross-functional Security Group that meets quarterly to review security as a whole, discuss new developments and plan their implementation if appropriate.

Cyber insurance

Donorfy Ltd is covered by cyber insurance from Hiscox.


Donorfy team members have to undergo security training from CyberClear Academy.

Access to the infrastructure

Access to the SaaS / PaaS infrastructure is provided to appropriate personnel, and is protected by Two-Factor Authentication and IP filtering.


Physical security

As would be expected from one the leading global cloud hosts, Microsoft have comprehensive measures in place to secure all of their data centres from physical as well as electronic intrusion. This includes access request and approval protocols; perimeter and building access controls; biometric authentication; time-limited visits; full-body scanning and zoned access areas. Read more.



Encryption of data at rest

Donorfy employs Transparent Data Encryption (read more) , which is a feature of the Azure SQL database in which Donorfy data is stored. This extends to backed up data too.

Encryption of data in transit

Donorfy uses the https, otherwise known as Secure Sockets Layer (read more) to encrypt data in transit - for example between the browser and the Donorfy web app.


Security features in the Donorfy app

Donorfy contains numerous safeguards to enhance its security. These include:

  • HTTP response headers are optimised to provide a high level of protection, achieving an 'A' rating on the independent security site
  • Donorfy notifies users of logins from previously unknown locations. This enables you to take necessary action (eg. changing passwords) should you suspect a rogue login.
  • Two-Factor Authentication.
  • Automated sign-out after an hour’s inactivity.
  • Users of the app are assigned an account type which governs the data that can be seen, retrieved and downloaded.
  • Donorfy Forms and donation widgets are protected by Google reCAPTCHA v3 and IP filtering, which together provide an effective defence for card testing and bots. Forms automatically block IPs if multiple repeat attempts at submitting them are identified in a short space of time.
  • No payment card or bank details are stored in Donorfy, We store tokens instead, with the card and account details held by the payment processors Stripe, PayPal and GoCardless.
  • The Donorfy API and Data Service are IP filtered.
  • HTML sanitisation - Donorfy checks uploaded content for potentially malicious content, such as the <code>, <object>, <embed> and <link> tags, and removes them accordingly. This prevents malicious code from being injected and subsequently executed.

The Donorfy Security Centre

The Security Centre promotes good practice by highlighting areas of potential weakness in the client’s configuration of Donorfy. A security rating is provided along with tips on how to improve it.

donorfy security centre


Software development

Donorfy is developed and tested according to the standards of the Open Web Application Security Project (OWASP). 


Anti-virus and malware

Files, documents, email attachments and so on are scanned as they are uploaded to check for viruses and malware.



The data in your Donorfy about constituents, transactions, activities and so on is backed up several times an hour. Multiple copies of the backups are made with copies also being stored in a different data centre - this helps protect your data from failures.


Compliance standards and certifications

Microsoft Azure has many compliance certifications including the information security standard ISO 27001. The full list of certifications can be viewed here.

Pen Testing

Penetration (pen for short) testing is an authorised attempt to hack a computer system with the objective of evaluating the system’s security and identifying security vulnerabilities so that they can be fixed.

Donorfy pen testing

We periodically commission pen testing on the entire Donorfy solution. We use a variety of pen test agencies to do this, and implement recommendations from their reports accordingly. If you’d like to know more about this please click on the button below to request more info. You will be asked to accept our non-disclosure agreement.

View full features list

Check out all the features included in Donorfy and how we support you to do more of what matters.