Our commitment to donor privacy at Tor

In this post, we want to share a little bit about the Customer Relationship Management (CRM) software, CiviCRM, that we use to store donation records and donor information. We hope this offers you confidence in how your personal data is handled and secured whenever you make a donation.

At the Tor Project, transparency for a privacy project is not a contradiction: privacy is about choice, and we choose to be transparent in order to build trust and a stronger community. This is how we operate in all aspects of our work: we show you all of our projects, in source code, and in periodic project and team reports, and in collaborations with researchers who help assess and improve Tor. Transparency also means being clear about our values, promises, and priorities as laid out in our social contract.

Why CiviCRM

Since 2013, the Tor Project has been using CiviCRM as part of our stack to accept donations, manage donor profiles, and facilitate donor communications. As the only true open source CRM, CiviCRM and the Tor Project share a commitment to open and transparent technology. Choosing open source technology like CiviCRM allows us to fully control our systems and securely handle your personal information. This approach minimizes the risk of a system hack and prevents third-parties from accessing your data.

We integrate CiviCRM with our self-hosted Drupal CMS, providing a robust and flexible platform for managing donor data. Our servers run Debian GNU/Linux and are protected using multiple layers of authentication. To reduce exposure of the CiviCRM API as much as possible, the donation web front-end only communicates with the CiviCRM back-end using a custom Redis key-value store via an encrypted tunnel, instead of connecting to the API directly over the Internet.

As an open source organization, we're committed to collaborating with the CiviCRM community to improve open source tools like CiviCRM, making it more effective and user-friendly for everyone. Our collaboration with the community has led to several notable improvements, including:

• CiviCRM Standalone: We expressed interest in running CiviCRM without a CMS, which motivated the project to prioritize this feature and make it a key part of CiviCRM 6.0.
• Flexible Premiums: We contributed patches to allow perk options to have flexible key/value, making it easier to track items like T-shirt sizes.
• Usability Enhancements: We provide regular feedback on the usability of CiviCRM, resulting in small but significant improvements. For example, a small change to the "View Contribution" page helps improve user experience.

By actively participating in the development of open source technology, we've ensured that our needs are addressed and that the platform continues to evolve to meet the demands of users like us. This collaborative approach has allowed us to shape the future of CiviCRM, making it a more effective and user-friendly technology.

Your privacy as a Tor donor

First and foremost, we do not publish, sell, trade, or rent any information about you. The data we collect is used for three main purposes: keeping in touch with you as a donor, making budgets and reconciling our bank accounts, and reporting necessary information for tax purposes.

For our records, we retain your name, the amount of your donation, the date of the donation, and your contact information. Access to that information is restricted inside the Tor Project to people who need it to do their work, for example by thanking you, sending a receipt, or mailing you a t-shirt. You can always contact us to view, change, or delete any information we may have stored in relation to a past donation.

If you use third-party service providers such as PayPal or a cryptocurrency exchange to make your donation, unfortunately, the Tor Project has very little influence over how these service providers may collect and use your information. We recommend you familiarize yourself with their policies, especially if you have privacy concerns.

Completely anonymous donations are also possible, like by sending a money order or gift card via postal mail, or via cryptocurrency if you have it set up in a way that preserves your anonymity. There are probably other ways to donate anonymously that we haven't thought of—maybe you will.

Our commitment to maintain the privacy of our supporters is key to our mission. Your hard-earned money and choice to invest in the Tor Project is of utmost importance to us and we appreciate your trust. We will never publicly identify you as a donor without your permission. You can read more about our donor privacy policy here.

Your impact

We, as a Tor community, fight every day for everyone to have private access to an uncensored internet, and Tor has become the world's strongest tool for privacy and freedom online.

But Tor is more than just a technology. It is a labor of love produced by an international community of people devoted to human rights. The Tor Project is deeply committed to transparency and the safety of its users.

We are proud to have a Four-Star Charity rating from Charity Navigator, and have been awarded Candid’s Platinum Seal of Transparency. This demonstrates the Tor Project’s commitment to openness and honesty in how the organization manages its finances and uses your investment for a greater impact. If you have not done so this year, please consider making a donation today. Your donation is in good hands and goes a long way.