Security Review Process
NGP VAN uses a tiered risk management structure to determine the level of security review an application must meet before it can be used in production. Tier 1 is the lowest and will allow developers to send data into VAN, but not export, while Tier 4 is the highest.
New developers will be given Tier 1 sandbox access by default.
It is important that developers fully spec out the endpoints they plan to utilize prior to beginning integration so they can apply for access at the appropriate tier.
For example, building an integration to add a supporter to an organization’s CRM might use POST /people/findOrCreate, a Tier 1 feature, but if the application also was going to update scores with PATCH /scoreUpdates, a Tier 4 feature, the developer would be required to meet Tier 4 requirements.
An overview of endpoints and their associated security tier is below. If you are unsure what endpoints will be most useful to your integration, please don’t hesitate to reach out. We also anticipate that many developers will iterate on their integrations over the course of time, so you should expect to be asked for additional information as you increase in tiers and as we add new features that may be useful to your integration.
Review Process
There are two security reviews that integrations will generally have to go through. The first is a Platform Review by NGP VAN (using the tiered model below) and the second is a Tool review by the client's team.
The Platform Review is a onetime process and will "stay" with the vendor across their work with NGP VAN clients. This review is designed as a baseline audit of integration security best practices - no vendor trying to certifying at an appropriate tier should 'fail' this process.
In addition, many clients have their own vendor review. While some clients (especially those not working on voter file data) will accept the Platform Review in place of another formal process, larger clients will ask vendors to fill out an secondary review specific to their security guidelines.
Both review can often be completed in parallel, especially if you have a client who's looking to use this integration already in mind.
See below for a diagram outlining the step by step process a successful vendor will complete to have their integration live in production.
General Tiers
My Campaign | My Voters | |
---|---|---|
People | 1 | 1 |
Membership (People) | 2 | - |
Activist Codes | 1 | 1 |
Canvass Responses | 1 | 1 |
Changed Entitites | 4 | 4 |
Codes | 1 | 1 |
Commitments | 2 | - |
Contributions | 2 | - |
Custom Fields | 2 | - |
Designations | 2 | - |
Disbursements | 2 | - |
District Fields | 1 | 1 |
Email* | 1 | - |
Event Types | 1 | - |
Events | 1 | - |
Export Jobs | See below | See below |
File-Loading Jobs | 2 | 3 |
Financial Batches | 2 | - |
Folders | 1 | 1 |
Locations | 1 | - |
Merge Person | 4 | - |
MiniVAN Exports | 2 | 3 |
Notes | 1 | 1 |
Online Actions Forms | 2 | - |
Phones | 2 | 3 |
Printed Lists | 2 | 2 |
Relationships | 2 | 2 |
Reported Demographics | 2 | 2 |
Saved Lists | 2 | 3 |
Score Updates | 3 | 4 |
Scores | 3 | 4 |
Signups | 1 | - |
Stories | 1 | - |
Supporter Groups | 1 | - |
Survey Questions | 1 | 1 |
Target Export Jobs | 2 | 3 |
Targets | 3 | 4 |
Users | 2 | 2 |
Voter Registration Batches | - | 2 |
*note: this set of Email endpoints retrieve meta data about email messages sent via TGE, not actual email addresses. You can get a contact's email address using GET/people/{vanid} or via an Export Job.
Export Jobs
Export Jobs are the specific data points that are being pulled in an export. If you imagine a CSV, people records would be the rows while the fields in an export job are the columns. Use of the Export Jobs endpoint is generally not limited, but the fields included are tiered based off the security requirements mentioned above. As a reminder, voter data is a provided to NGP VAN by the client or a separate vendor and as such is considered at a higher level of security. Developers with questions on this should feel free to reach out and we are happy to help connect you with the correct point of contact within a specific client organization.
My Campaign | My Voters | |
---|---|---|
VanID | 1 | 1 |
FirstName | 1 | 2 |
LastName | 1 | 2 |
Address | 1 | 2 |
FullAddress | 1 | 2 |
StreetAddress | 1 | 2 |
City | 1 | 2 |
State | 1 | 2 |
ZipOrPostal | 1 | 2 |
ZipCode | 1 | 2 |
County | 1 | 2 |
Employer | 1 | - |
Occupation | 1 | - |
2 | - | |
HomePhone | 1 | 2 |
IsHomePhoneACellExchange | 2 | 3 |
CellPhone | 1 | 3 |
WorkPhone | 1 | 2 |
IsWorkPhoneACellExchange | 2 | 3 |
Phone | 1 | 2 |
OptInPhone | 1 | 2 |
OptInStatus | 1 | 2 |
OptInPhoneType | 1 | 2 |
CongressionalDistrict | 1 | 2 |
StateHouse | 1 | 2 |
StateSenate | 1 | 2 |
Party | 1 | 2 |
PollingLocation | 1 | 2 |
PollingAddress | 1 | 2 |
PollingCity | 1 | 2 |
HomePhoneDialingPrefix | 1 | 2 |
HomePhoneCountryCode | 1 | 2 |
HomePhoneID | 1 | 2 |
CellPhoneDialingPrefix | 1 | 3 |
CellPhoneCountryCode | 1 | 3 |
CellPhoneID | 1 | 3 |
WorkPhoneDialingPrefix | 1 | 2 |
WorkPhoneCountryCode | 1 | 2 |
WorkPhoneID | 1 | 2 |
PhoneDialingPrefix | 1 | 2 |
PhoneCountryCode | 1 | 2 |
PhoneID | 1 | 2 |
OptInPhoneDialingPrefix | 1 | 2 |
OptInPhoneCountryCode | 1 | 2 |
OptInPhoneID | 1 | 2 |
StateOrProvince | 1 | 2 |
OptInPhoneType | 1 | 2 |
StateFileID | 3 | 3 |
CountyFileID | 2 | 2 |
StreetNo | 1 | 2 |
StreetName | 1 | 2 |
VAddressLatitude | 1 | 2 |
VAddressLongitude | 1 | 2 |
Sex | 1 | 2 |
DOB | 2 | 2 |
PollingCity | 1 | 2 |
PollingZip | 1 | 2 |
PermanentAbsentee | 2 | 2 |
ReportedEthnicity | 2 | 2 |
ReportedLanguagePreference | 2 | 2 |
VoterVANID | 1 | 1 |
MyCampaignID | 1 | 1 |
Note on exporting addresses
Please note that the Address and ZipCode export fields only support US addresses while FullAddress and ZipOrPostal are present in databases that have international addresses enabled. The former should be used with My Voters while the latter is most often used with My Campaign.
Export Job Examples
For ease of use we will often issue developers a numeric export job type (for example Type ID 123) which will pull the same set of export fields every time it is used. VANID is unique to a contact record and often can be utilized in replace of PII. Some examples of frequently used export jobs are listed below.
Direct Mail | SMS | Relational Organizing App | Saved List |
---|---|---|---|
VanID | VanID | VanID | VanID |
FirstName | FirstName | FirstName | |
LastName | LastName | LastName | |
Address | Address | Address | |
StreetAddress | City | StreetAddress | |
City | State | City | |
State | ZipOrPostal | State | |
ZipCode | County | ZipOrPostal | |
Zip4 | HomePhone | ||
HomePhoneID | Phone | ||
IsHomePhoneACellExchange | PhoneDialingPrefix | ||
CellPhone | PhoneCountryCode | ||
CellPhoneID | OptInPhone | ||
WorkPhone | OptInPhoneDialingPrefix | ||
WorkPhoneID | OptInPhoneCountryCode | ||
IsWorkPhoneACellExchange | OptInStatus | ||
Phone | OptInPhoneType | ||
PhoneID | |||
OptInPhone | |||
OptInStatus | |||
OptInPhoneID | |||
OptInPhoneType |
Updated over 2 years ago