Privacy and Security

Privacy and Security

Common Good is a 501(c)(3) nonprofit non-bank financial institution for community empowerment, regulated by the Commonwealth of Massachusetts Departments of Public Charities, Corporations, and Revenue, by the Internal Revenue Service, and by the United States Treasury Department. The Common Good system keeps your information as private and secure as possible, meeting or exceeding industry standards. Information we collect:

  • Your name
  • Physical address
  • Mailing address
  • Phone number
  • Email address
  • Birthdate
  • Social Security Number
  • Bank account number (optional)
  • Customizable security question
  • Your chosen password and PIN
  • Your photograph
  • Other information (optional)

How we protect your information in storage

All Common Good information is stored in a passworded database on an industry-standard secure server .

All of the information we collect, except your name and postal code, is encrypted in the database, using 256-bit encryption — stronger protection than the industry standard. Then, for all fields except phone, email, photograph, and optional other information, the encryption is encrypted twice more using two different 256-bit encryption methods. None of this information is accessible online except through a signed-in administrator account.

Your PIN and password are also encrypted with one-way encryption, stronger than the industry-standard.

Your most sensitive private data (birthdate, social security number, driver’s license or state ID, and bank account number) are encrypted a fourth time, using a key that is only accessible when a regional Common Good administrator signs in with proprietary plug-in hardware.

Your private information is never revealed to any non-governmental third party except with your explicit permission. As required by the Bank Secrecy Act, we retain your data for at least 5 years (highly encrypted), even if you close your account.

What Secure Data Looks Like

We go way beyond what banks and hospitals do, to protect your private information. Here’s what our Executive Director’s social security number and bank information look like in the database, quadruple encrypted with the key never stored online (see below). In the unlikely case that someone managed to hack into our database, that’s all they would get. As you might imagine, there are much easier places to steal someone’s identity.

`!SPkc2S5O TLq9ol7uOL njZT4VovtD lSWIR/xd/M EU5blMLe4o tWmks6xypo 3Ch/aSmGGP 5o2PkhZrEl BdPGkA71hU S63/5lkrCr 4ije7RaKR2 oPKXLh8SHQ NnWKrp8FhI MD7XgTEZYq 0gbmvwakAl QsPQfoUM31 XQV35BZHLe jdRRXZxfR/ bG6SNpPr77 aJ+NQNUNkW e28qfYANJ8 FhjNWX5kS5 BY2hR4lcOw A1SGh9AUD1 IvagPcMx4r rXcRrnEEyA vHsNaurSZO fRGXFa4etH z6SbK0sSER lfNyT/Y7kS XYdzsKp2FT x6Qrfh8+Kj RPAmjMIgbI kbfgbbY+fu 6Eq8UKfVW+ YdD3Eyuamc iQruDNxsWQ LHMt7/2eTt kuumr7NWip 42NT08KyyZ oEfJNnDRiX 5c56QK9QXM QNdVUxnm9/ VJoCH4Eye5 KJwW9hKWlc NlH4ih7hY7 1BxsFJJYbT Cdh06bMImN WcrEZQfN5n zjsVJ04Vyk At6gpRmRLS /YAvSlZACw xcD3W9Xf2y 0YAhlNRHbC 7nBEexlYSb 34gbqIvggK q30SuhQHAz twxx1KDHww 58upKzR9ei zO2Sj6Im0r U3K+gDicS0 J6BW+rNv7X /QpenGvIFj 9SZss+u7H8 cFbXvaVYr+ 4YXagsl2gF LNqnMnAAXO 15WNmlEAAC UNDQzONyk4 8CZknbplHV ZlPYQutUxp zqtArKYrj3 087ubqeaeo WXKCOSkekT nFOKUMcHjF 0RaQWTb3za uLnZaT2/89 8mFbcS6o4P JcZWST65bR 4Z9RKywHcB d8qcou8DAh +qlsLP3EgC 2pSJsOSaHd kSLeT3UU0F l2X/FnjdnK FsgGDnzTea LT67NG2Mbw IWxZN7Dm0f 6nGKXUSfV/ gb/jEaDSuk dX4wNzj/cK yLaSCEDhff ByJHGOtLCd TncyiM5g06 4NR7+mWeP/ pCjiP69Wgr 1uqjX+33DU nPQHbiXsaz z+EzMLGoKM h8I1JHl8Sm I0qOGgnZ8b v5LIZmSb5d uzL1iwt3sV s9CXH/wqs3 XD2kKjSS2p X/clAEjHNx 9Q6ZNRQdD1 3ujGqvVwYp 0p1xR9H3Db l8oAW9fjS2 edIt9Kfhxq Wozlap6jzc hIGYjlfjGc eqZyYHvav7 jjGjtsAULp Tt59pY32rN dpYjNxhYzO 2OJ8nZyUM3 vJzeaYn70a MXfuMqr/eP 7dGanm2mrG FbEeb0riyn BrQt2gATe+ nAgYfmx0fZ 4QDpRk2Ja9 Q1wT9SQhUx j32sCEV4a4 KsktAkQOj8 zZyjwlfgmX iEsm39eBrr FToOpsBrSX IDFcsq9T+p nXYV6Ld2Zk lFLCrvLEWJ rdksjDOahs XR+7TFCNFS OOl7DXImrF a8Jd16pNz3 Vbjtpevgcc 2SmrN9/cb2 lmgeY+JPvQ XQu7z4SYLN N/meeodlSg u3f4QwGnP2 UHY0OrTz6h yUW2SncqUf 5c+JQE1Gq0 4K9FTWcwz6 8LzFpSquH0 OHHbjwYCYw kISC7jCZlN AYaFizNgiO +vc

How we protect your information in communications

The Common Good website is a Secure Server with industry-standard 128-bit encryption (or better) of all information coming in and going out.

Your private information is never shown to you. So even if someone tricks you into revealing your password, they cannot steal your identity or your money.

In any email we send you:

  • We address you by your full name, so you know we know you.
  • We provide your account code.
  • We never include a link that requires you to type your existing password.

Common Good Card and CGPay app security

The QR code used on Common Good Cards and in our CGPay app includes an arbitrary security code that is stored encrypted on the Common Good server. When you make a purchase with your Common Good Card, the server verifies the security code and your photo appears on the merchant’s scanning device. The cashier verifies that your face and your stored image match the photo on the card.

The photo and security code are never displayed to you on the website, so if your account password is stolen, your Common Good Card is still secure. If your Common Good Card is lost or stolen, a new security code is chosen for your replacement card.

If you have any question or concern about our privacy and security policies, please ask!

Back To Top