Introduction

FreeWill protects the personal information of your donors from improper access and disclosure. As an initial matter, the donor information FreeWill receives does not come from our partners. 

At no point does FreeWill's estate planning or planned giving tools:

• Access or integrate with the partner’s email database, donor database, or web systems
• Integrate with the IRA or brokerage accounts
• Handle the transfer of funds

Instead, the only information about your donors that FreeWill receives is the information they choose to share with us themselves in the course of creating their free will and other documents - information like their name, the state they live in, and the people and causes they’d like to leave gifts to. Furthermore, FreeWill does not collect our users’ particularly sensitive information, such as credit card details, account passwords, or Health Information protected under the Health Insurance Portability and Accountability Act (HIPAA).  

Furthermore, the information FreeWill collects is never sold to third-parties. It is only used (i) to provide our users the documents they choose to create and effectuate the gifts they wish to make; (ii) to inform our partners of gifts made to them by our users; (iii) in an aggregated, de-identified format for analytics, benchmarking, and other business purposes (such as charitable trend analyses); and (iv) otherwise with the user’s notice and consent.

Safeguards

FreeWill takes data security very seriously.  We maintain appropriate administrative, technical, and physical safeguards designed to protect against unauthorized access, disclosure, or modification of the personal information we obtain.  

• We encrypt all data at rest using AES-256 GCM encryption, with root keys stored in an HSM.
• We use modern SSL/TLS settings and HTTP headers to ensure users can safely and securely browse our site.
• We filter and sanitize all user input to prevent code injection and XSS attacks.
• We protect user data with role-based access controls and strict operational procedures, and we never share user data without permission.
• We never store passwords in plain text, and are protected against brute force attacks, dictionary attacks, and rainbow tables.
• We have a Secure Software Development Life Cycle (SSDLC), which includes frequent server patches and vulnerability scans on every code change.
• We ensure high availability by distributing all services, and backing up data frequently.
• We use a Virtual Private Cloud (VPC) with inbound and outbound traffic filtering to enforce strict network access controls.

If you have any questions, don't hesitate to reach out to your FreeWill strategist.