Blackbaud Europe Ltd

Blackbaud CRM

A constituent relationship management application for non-profit organisations


  • Highly configurable out-of-box, users can create unlimited fields and forms
  • Open Extensible Platform. BBCRM has fully-available APIs and WebServices
  • Handles layers of security settings across multiple sites, remote users
  • Multi-currency with complex revenue handling and auto reconciliation
  • GDPR compliant consent and communications preference management
  • Developer resources including access to Software Developer Kit for customisation
  • Advanced online toolset via Blackbaud Internet Solutions
  • Integrated payment gateways via Blackbaud Merchant Services
  • Any products that consume oData can integrate and read data
  • BBCRM can integrate with any Integration-as-a-platform (IPaaS) tool


  • A complete, straightforward browser-based experience for fundraising and supporter teams.
  • Users can have highly-tailored system views, workflows and dashboards
  • BBCRM and allows organisations to conduct social listening
  • Scheduled export of data in a variety of file formats
  • Fundraisers can access/update important constituent information directly on their smartphones
  • Fully customisable website content management system
  • Direct marketing capability with built in ROI analysis
  • Point-to-Point Encryption, digital wallet, PCI compliance, and streamlined payment processing
  • View real-time analysis of marketing efforts, make dynamic strategy adjustments
  • Prospect management tools to evaluate, segment, assign, manage identified prospects


£150 per instance per hour

Service documents


G-Cloud 11

Service ID

7 3 0 7 5 5 4 9 2 9 7 7 9 8 8


Blackbaud Europe Ltd

Marshall Simmonds

+44 (0) 203 932 1600

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Blackbaud will provide 30 days advance notice to your organisation of any such changes. Notifications of planned Scheduled Maintenance will be delivered to a designated point of contact via email. There may be instances of Emergency Maintenance where Blackbaud needs to interrupt the services without notice in order to protect their integrity due to security issues, virus attacks, spam issues, or other unforeseen circumstances. Extended Maintenance Windows will be periodically scheduled for longer periods for application upgrades. Advance notice for these extended windows will be delivered to your organisation so you may plan accordingly.
System requirements
  • Internet Explorer 11+
  • Google Chrome
  • Firefox

User support

User support
Email or online ticketing support Email or online ticketing
Support response times For Severity 1 (Critical) issues our target response time is 30 minutes with hourly updates. For Severity 2 (High) issues our target response time is 2 business hours with daily updates. For Severity 3 (Medium) issues, our target response time is 4 business hours with updates every 2 business days. Lastly for Severity 4 (Low/Cosmetic) issues, our target response is 8 business hours with updates every 2 business days.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Blackbaud uses a 3rd party called LiveAgent for chat support while using SKYUX. Customers often raise questions or require information regarding the ‘accessibility’ of our products and solutions. The term ‘accessibility’ most broadly refers to an individual’s ability to access, use or benefit from everything within their environment regardless of disability.

The standards most often referenced are the US Federal Section 508 standards and the W3C's Web Content Accessibility Guidelines 2.0 (WCAG).

Blackbaud's goal is to have our cloud solutions on the Blackbaud SKY platform conform to WCAG 2.0 Level AA satisfying all of the 38 level A and AA success criteria.

We've built the set of product development practices and testing for team's to be able to meet these conformance requirements to a high degree if practiced consistently. These can be learned using the getting started guides for content development, engineering, and user experience.

In the future we expect to build a regular assessment and compliance check for our cloud solutions on the SKY platform to increase the quality and level of accessibility.
Web chat accessibility testing The W3C released a update to WCAG in June, 2018 which extend the 2.0 guidelines. This was the first update to the guidelines in 10 years. There are twelve new level A & AA success criteria that focus on improving accessibility for users with cognitive disabilities and for users who browse websites on mobile devices like tablets and smartphones.

Blackbaud will evaluate the adoption of these new guidelines into country laws, customer policies and requirements, and industry-standard accessibility reporting templates periodically. We will consider updating the Blackbaud goal to the updated guidelines at a future date.
Onsite support Yes, at extra cost
Support levels For Severity 1 (Critical) issues our target response time is 30 minutes with hourly updates. For Severity 2 (High) issues our target response time is 2 business hours with daily updates. For Severity 3 (Medium) issues, our target response time is 4 business hours with updates every 2 business days. Lastly for Severity 4 (Low/Cosmetic) issues, our target response is 8 business hours with updates every 2 business days. We also provide resources such as knowledgebase.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started The start of any CRM project is onsite training at the client's, or Blackbaud's, offices. This is generally a minimum week long course, depending upon the scope of the project. The training is an introduction to the out of the box solution to prepare the client project team for the design phase of the project. Training guides are provided as part of the course. During the project, further training is given, aimed at specialist subject matter experts, to instruct on advanced configuration and customisation of the product. A further onsite course teaches the client how to maximise their use of the multiple report writing options offered by the product. Assistance is also given with regards to identifying and designing end user training resources, often then produced and delivered by the client. This training focuses on the need for considered change management.
Clients have access to online training via the Blackbaud University portal. These sessions include self paced learning and instructor led lessons. Hands-on exercises and interactivity are at the heart of all Blackbaud training, and classes are designed to support a variety of user roles.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction If Blackbaud has your data in its possession upon termination, to the extent technologically feasible, Blackbaud will provide a copy of your data in standard database format.
End-of-contract process If Blackbaud has your data in its possession upon termination, to the extent technologically feasible, Blackbaud will provide a copy of your data in standard database format.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API Every application feature is accessible through standard web services accessible from any programming tool that utilizes XML, HTTP, and SOAP. Customisations can be created to automate the functionality in the software such as business processes. The Blackbaud Infinity SDK is required and setup to be integrated with Visual Studio to create customisations that can be deployed to Blackbaud CRM.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The Blackbaud Infinity SDK can be used to customise the application such as automation, global changes, adding new functionality or enhancing existing functionality. Customers who use our software are free to download and use our SDK to integrate with their Blackbaud CRM installation. Customers can also look for a Blackbaud Partner company or have Blackbaud scope and create integrations.


Independence of resources Our infrastructure is built with load balancing in mind and there is constant monitoring in place.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Other
Other data at rest protection approach All data in transit is encrypted using AES 128/256-bit SSL via TLS v1.2 with a 2048-bit RSA asymmetric key. Specific fields are encrypted at rest using 2048-bit encryption, including social security numbers and credit card numbers.  Backups are encrypted with AES-256.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach There are various functions in the solution where data can be exported. Users can also query and analyse their data based on specific conditions that can also be exported. This is standard functionality available in Blackbaud CRM.
Data export formats
  • CSV
  • Other
Other data export formats XLSX
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We commit that the production version of software in the hosting environment will be available at least 99.9% of the time calculated on a monthly basis excluding maintenance. Users should notify Blackbaud as soon as possible should a disruption be experienced. To be eligible for a service credit, the average availability for the entire prior month must drop below 99.7% and you must notify Blackbaud within 30 days of the end of that month so that we can investigate the issue.
Approach to resilience This information is available on request.
Outage reporting A public status page is available for both reported outages and scheduled maintenance.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Blackbaud systems and database administrators have access to the data. Access is granted on an as-needed basis but requires senior management approval on a per user basis. Employees must complete security training prior to access provisioning. All administrators are required to use two-factor authentication for system access.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Schellman & Company LLC
PCI DSS accreditation date 04/06/2018
What the PCI DSS doesn’t cover Blackbaud has validated compliance with the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA-DSS) for every application that processes, stores, and transmits cardholder data. We have implemented PCI standards regarding secure storage of data, strong access control, and other requirements. For more information, please refer to the PCI Compliance page of our website.
Other security certifications Yes
Any other security certifications SOC2

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We maintain numerous security certifications, and our solutions meet rigorous international security and privacy standards, as validated by external auditors. Blackbaud experts ensure your system is always up to date, properly configured, and compliant with standards like PCI DSS and SOC.
Our security measures can be found here:
Blackbaud Privacy Policy:
Blackbaud Client Data Policy:
Blackbaud has implemented an Information Security Program that meets or, in many cases, exceeds industry best practices, and is modeled upon the ISO 27001 information security governance structure.
Information security policies and processes Blackbaud has implemented an Information Security Program that meets or, in many cases, exceeds industry best practices, and is modeled upon the ISO 27001 information security governance structure. This means that Blackbaud has implemented policies and procedures addressing:
Security Governance and related policies
Risk Assessment
Asset management
Physical and environment security
Network, communications and operational security
Access control
Information system acquisition, development, and maintenance
Incident management
Business continuity
Mobile devices
Personnel management
By implementing this program, we consistently maintained a system uptime of over 99.95% which is one of our top priorities.
We do not provide the details of internal security policies and procedures.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Blackbaud’s Change Model follows ITIL protocols and methodologies. All changes are brought forward using a Request For Change (RFC) process to a Change Board (CB) who reviews the submitted request. This formal process allows for complete review and approval as well as establishes the appropriate levels of communication. We categorize all changes as Standard, Non-standard, or Scheduled Changes.
Vulnerability management type Undisclosed
Vulnerability management approach Blackbaud has a comprehensive vulnerability management program. All of our applications and our public facing network go through annual third-party penetration testing. We also perform our own internal and external vulnerability scans on a quarterly basis, as well as static code scans against our software during key moments in the development lifecycle. Any issues found are submitted for remediation based on industry recommendations.
Protective monitoring type Undisclosed
Protective monitoring approach Blackbaud’s Incident Response Team will notify Legal Counsel to understand and provide notification requirements. Requirements will include applicable laws, federal requirements, EU requirements as well as client contractual requirements.
In the event of an breach, and within 72 hours of becoming aware of a use, access or disclosure of Client Confidential
Information in Blackbaud’s possession that is not permitted by the terms of the Agreement (“Unauthorized Disclosure”),
Blackbaud shall notify the Customer in writing of the Product in question regarding Unauthorized Disclosure via
email and will also provide a written report to Client describing the circumstances surrounding such Unauthorized
Incident management type Undisclosed
Incident management approach Blackbaud maintains a well-defined, documented, and communicated Incident Response Plan across the organization. Upon alert, report, or identification of a breach; interviews are conducted and evidence is collected. An initial report is established, ensuring that the collected artifacts concur with the time-stamps on the systems from which they happen to have been generated or collected. An incident response team then further reviews the initial incident report together.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £150 per instance per hour
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑