MemberVerify helps associations keep their member records accurate. Because that means handling your members' contact information, protecting it is core to what we do, not an afterthought. Here's how.
What we work with, and what we never touch
MemberVerify uses only the professional contact details of your members: name, work email, employer, job title, and work location, plus the corrections we suggest and a record of who approved each one.
We never request, collect, or store health or medical information, payment-card or financial data, Social Security or government ID numbers, member passwords, or donation history. Sensitive personal data is simply outside what our service needs, so we don't handle it.
Where your data lives
All customer data is stored and processed in the United States, on Render, an enterprise cloud platform whose security program is independently audited and certified. Render maintains:
- SOC 2 Type II and ISO 27001 certifications
- GDPR compliance and EU-US Data Privacy Framework certification (with UK and Swiss extensions)
- A HIPAA-eligible platform (we don't process health data, but the underlying platform meets that bar)
- Infrastructure running on AWS and GCP in US regions
- A public vulnerability-disclosure program and continuous security monitoring
Your data is encrypted in transit and at rest at every layer.
How we protect it
- Encryption everywhere. Your data is encrypted both in transit and at rest, and the credentials that connect us to your CRM get an additional layer of encryption on top.
- Strong access controls. Administrative access to your data is protected by two-factor authentication (authenticator app), so a stolen password alone can't get in, plus automatic lockout after repeated failed login attempts.
- Your data is walled off. Every customer's data is fully isolated. There's no shared pool, and no one outside your organization can access it.
- We never sell or share it. Your data is used for one purpose: keeping your records accurate. We never sell it, rent it, or add your members to anyone else's list.
- Minimal sharing with vetted providers. To verify a contact, we send only the minimum needed (name, employer, work-email domain) to established data providers, never your full database, and never sensitive fields. A current list of these providers is available on request.
We don't keep your data forever
- Automatic 30-day deletion. Your contact data is automatically and permanently deleted from our systems after 30 days. We don't maintain a standing copy of your membership.
- Delete on request. You can ask us to remove your data at any time.
- Full control, with undo. You decide whether high-confidence updates apply automatically or wait for your approval, and any applied change can be reversed within 30 days.
Accountability
- A secure audit trail records administrative and system actions.
- A written incident-response plan commits us to notifying affected customers within 72 hours of a confirmed data breach.
- The production database is backed up daily, with documented recovery procedures.
Compliance
- Our practices align with GDPR and CCPA privacy principles: data minimization, purpose limitation, and customer control.
- A Data Processing Agreement (DPA) is available on request. (Because we never handle health data, a HIPAA Business Associate Agreement isn't applicable, a DPA is the appropriate instrument.)