Before you begin
What you’ll need
- An authenticated account for private actions
- Organization authorization for administrative data
- MFA for privileged administration
01
Protect administrator accounts
Administrator access is separate from membership and should be granted according to job responsibility.
- Use an individual administrator account; never share passwords, magic links, or MFA codes.
- Enable MFA and complete step-up verification when prompted for privileged work.
- Grant the smallest role that supports the person's responsibilities and remove access promptly when duties change.
- Review unexpected access or security notifications through a trusted organization contact.
02
Handle sensitive member data
Contact details, internal notes, financial records, mailing exports, and integration credentials require different permissions and handling rules.
- Collect only information needed for membership operations.
- Avoid putting secrets, payment-card data, authentication codes, or unnecessary sensitive details in member notes.
- Download member or mailing data only for an approved task and remove working copies according to organization policy.
- Do not send sensitive exports through personal email or unapproved file-sharing services.
03
Respond to a privacy request
Use the organization's verified process for access, correction, export, retention, or deletion requests.
- Verify the requester's identity without asking for passwords or one-time codes.
- Record the request and its scope through the approved support or privacy workflow.
- Review legal, financial, audit, publication, and membership records that may require retention.
- Correct inaccurate profile data through normal commands and preserve required historical records.
- Document completion and communicate the result through the verified contact channel.
04
Report a security concern
If you suspect unauthorized access, a leaked export, a fraudulent payment, or an account compromise, stop the affected workflow and contact the organization through its trusted support channel.
- Include the organization, approximate time, affected feature, and what you observed.
- Do not include passwords, full payment-card details, secret keys, or MFA codes.
- Preserve relevant reference IDs and avoid repeatedly retrying a suspicious action.
