CivicPlus^® Statement on IT Security

CivicPlus is committed to the highest level of ongoing digital security and cybercrime protections. We continually monitor our customers’ digital properties and annually invest in our cybersecurity infrastructure, staff training, and software protection capabilities.

How to Submit Security Questions or Report a Concern and Guidance for Responsible Reporting

We appreciate and value our customers, partners, and the security research community—those who proactively and responsibly communicate with us to help maintain stringent security standards across our shared industry.

To protect our customers and systems, CivicPlus does not disclose or discuss security questions or concerns until we have conducted our internal research and evaluation.

By submitting a question or reporting a concern, you agree to abide by the following guidelines:

• Allow CivicPlus a reasonable timeframe to investigate and respond.
• To not publicly share reported information before CivicPlus provides a response and mitigation activities, if necessary.
• Make a good faith effort to avoid creating privacy infringement, destruction, or service disruption to CivicPlus applications or data.

We are committed to working with our customers, partners, and third parties to ensure the highest digital security level. We will act quickly to address all submissions within these guidelines.

We request that our customers, partners, and members of the media use the following secure channels to privately submit inquiries to our Information Security Team for their response:

Ongoing Risk Mitigation Efforts

We understand that there is an understandable concern about cybercrime. Please rest assured that we are confident our systems and infrastructure stringently safeguard our clients’ digital content.  

To mitigate the risk of the ongoing threats to our clients, our software and hosting solutions team have the following security controls and safeguards in place:

• All client websites are monitored 24/7/365. 
• An outside entity regularly performs system vulnerability assessments.
• We follow strict development practices, which include writing secure code that protects our software and websites from cross-site scripting (XSS), SQL Injection, and other means of unauthorized access.
• Our hosting is SOC 2 compliant.
• We leverage only PCI-compliant payment solutions.
• We consistently run third-party scans to mitigate security vulnerabilities.
• As we identify suspicious activities, we will actively protect our clients. Specifically, regarding questionable accounts, we are not allowing these accounts to be validated and are systematically deleting them on your behalf. Our clients require no further action.

As always, we welcome any questions and would be happy to discuss our security capabilities with you at any time. Please reach out to your Customer Success Manager for assistance.