Faith, Hope and Love Community, Inc. ("FHL Community") operates DBA ("United Food Missions") unitedfoodmissions.org or (UFM) and fhlcommunity.org and may operate other websites. It is United Food Missions a division of Faith Hope and Love and FHL Community's policy to respect your privacy regarding any information we may collect while operating our websites.
Like most website operators, FHL Community collects non-personally-identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. UFM and FHL Community's purpose in collecting non-personally identifying information is to better understand how UFM and FHL Community's visitors use its website. From time to time, UFM and FHL Community may release non-personally-identifying information in the aggregate, e.g., by publishing a report on trends in the usage of its website.
UFM and FHL Community also collects potentially personally-identifying information like Internet Protocol (IP) addresses for logged in users and for users leaving comments on unitedfoodmissions.org and fhlcommunity.org blogs/sites. UFM and FHL Community only discloses logged in user and commenter IP addresses under the same circumstances that it uses and discloses personally-identifying information as described below, except that commenter IP addresses and email addresses are visible and disclosed to the administrators of the blog/site where the comment was left.
GATHERING OF PERSONALLY-IDENTIFYING INFORMATION
Certain visitors to UFM and FHL Community's websites choose to interact with FHL Community in ways that require FHL Community to gather personally-identifying information. The amount and type of information that FHL Community gathers depends on the nature of the interaction. For example, we ask visitors who sign up at unitedfoodmissions.org to provide a username and email address. Those who engage in transactions with FHL Community and unitedfoodmissions.org are asked to provide additional information, including as necessary the personal and financial information required to process those transactions. In each case, UFM and FHL Community collects such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor's interaction with UFM and FHL Community. UFM and FHL Community does not disclose personally-identifying information other than as described below. And visitors can always refuse to supply personally-identifying information, with the caveat that it may prevent them from engaging in certain website-related activities.
UFM and FHL Community may collect statistics about the behavior of visitors to its websites. UFM and FHL Community may display this information publicly or provide it to others. However, UFM and FHL Community does not disclose personally-identifying information other than as described below.
PROTECTION OF CERTAIN PERSONALLY-IDENTIFYING INFORMATION
UFM and FHL Community discloses potentially personally-identifying and personally-identifying information only to those of its employees, contractors and affiliated organizations that (i) need to know that information in order to process it on UFM and FHL Community's behalf or to provide services available at UFM and FHL Community's websites, and (ii) that have agreed not to disclose it to others. Some of those employees, contractors and affiliated organizations may be located outside of your home country; by using FHL Community's websites, you consent to the transfer of such information to them. UFM and FHL Community will not rent or sell potentially personally-identifying and personally-identifying information to anyone. Other than to its employees, contractors and affiliated organizations, as described above, FHL Community discloses potentially personally-identifying and personally-identifying information only in response to a subpoena, court order or other governmental request, or when UFM and FHL Community believes in good faith that disclosure is reasonably necessary to protect the property or rights of UFM and FHL Community, third parties or the public at large. If you are a registered user of an UFM and FHL Community website and have supplied your email address, UFM and FHL Community may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what's going on with UFM and FHL Community and our products. If you send us a request (for example via email or via one of our feedback mechanisms), we reserve the right to publish it in order to help us clarify or respond to your request or to help us support other users. UFM and FHL Community takes all measures reasonably necessary to protect against the unauthorized access, use, alteration or destruction of potentially personally-identifying and personally-identifying information.
LOGGING AND COOKIE MANAGEMENT
All key actions on the application are centrally logged, audited and monitored. For instance, whenever our staff access an account for maintenance or support functions, such activities are logged so we can refer to them later.
If UFM or FHL Community, or substantially all of its assets, were acquired, or in the unlikely event that FHL Community goes out of business or enters bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of FHL Community may continue to use your personal information as set forth in this policy.
Our adaptive, forward-looking measures are our promise to you.
Dedicated security team
We have a dedicated information security team, responsible for securing the application, identifying vulnerabilities and responding to security events.
Data storage and processing locations
We store data in a US-based data center. In addition, we use multiple data processing locations including USA, Australia and Germany. We also use CloudFront at strategic AWS edge and regional locations as an external content delivery network for faster content caching. More on Amazon’s CloudFront can be found here: https://aws.amazon.com/cloudfront/features/
We have a suite of security guidelines with supporting procedures, which have been aligned with the ISO 27001 standard. Our security documentation is frequently reviewed and updated to reflect changes to our processes made in response to newly identified threats, as well as our commitment to continuous improvement.
We use the NIST Cyber Security Framework to measure our ability to identify, protect, detect, respond and recover from security events.
Awareness and training
All staff and contractors go through a vetting process where they are subject to background checks and confidentiality agreements.
We provide an ongoing program of security awareness training designed to keep all members of staff informed and vigilant of security risks. This includes regular assessment of comprehension to measure the program’s effectiveness.
We implement physical controls designed to prevent unauthorized access to, or disclosure of, customer data.
Data center controls
We only use state of the art data centers and cloud providers. Our data centers are monitored 24×7 for all aspects of operational security and performance. They are also equipped with state-of-the-art security such as biometrics, sensors for intrusion detection, keycards, and around-the-clock interior and exterior surveillance.
In addition, access is limited to authorized data center personnel; no one can enter the production area without prior clearance and an appropriate escort. Every data center employee undergoes background security checks.
Data center compliance
Our data center provider is certified to the following compliance standards: HIPAA, PCI-DSS, SOC 1 Type 2, SOC 2 Type 2, ISO 27001 and FISMA/NIST.
Our cloud provider has the following certifications: PCI-DSS, ISO 27001, SOC 1 / 2 / 3, IRAP, ISO 27018 and ISO 9001.
Our application has been designed with focus on security by leveraging OWASP-aligned security principles for software engineering, encryption technologies and security assurance.
Our infrastructure is subject to security benchmarking and monitoring so that we maintain or exceed industry security standards. We also use a combination of regular scheduled scans of our application, as well as bug bounty programs, to ensure that every area of our application has undergone rigorous security testing.
Our scheduled vulnerability assessment scans simulate a malicious user, while maintaining integrity and security of the application’s data and its availability. We also leverage the services of an external third party to perform a yearly penetration testing exercise against our platform to make sure we’ve got every angle covered.
We store each account’s data within a unique identifier, which is used to retrieve data via the application or the API. Each request is authenticated and logged.
SECURE CODE DEVELOPMENT
We follow industry best practices and standards such as OWASP and SANS. We have separate environments and databases for different stages of the application development. We do not use production data in our test and development environments.
To protect data we encrypt information in transit by supporting TLS 1.2. Data at rest is also encrypted using AES-256 encryption.
We put considerable effort into ensuring the integrity of sessions and authentication credentials by offering our customers the ability to protect their accounts using multi-factor authentication. Passwords storage and verification are based on a one-way encryption method, meaning passwords are stored using a strong salted hash. Email addresses are validated against a strong salted hash, stored along with the email.
The databases are further protected by access restrictions, and key information (including your password) is encrypted when stored. Data is either uploaded directly into the application using a web browser or uploaded via the API which uses secure transfer protocols.