Security Review Process

EveryAction uses a tiered risk management structure to determine the level of security review an application must meet before it can be used in production. Tier 1 is the lowest and will allow developers to send data into EA8, but not export, while Tier 4 is the highest.

New developers will be given Tier 1 sandbox access by default.

It is important that developers fully spec out the endpoints they plan to utilize prior to beginning integration so they can apply for access at the appropriate tier.

For example, building an integration to add a supporter to an organization’s CRM might use POST /people/findOrCreate, a Tier 1 feature, but if the application also was going to update scores with PATCH /scoreUpdates, a Tier 4 feature, the developer would be required to meet Tier 4 requirements.

An overview of endpoints and their associated security tier is below. If you are unsure what endpoints will be most useful to your integration, please don’t hesitate to reach out. We also anticipate that many developers will iterate on their integrations over the course of time, so you should expect to be asked for additional information as you increase in tiers and as we add new features that may be useful to your integration.

Review Process

There are two security reviews that integrations will generally have to go through. The first is a Platform Review by EveryAction (using the tiered model below) and the second is a Tool review by the client's team.

The Platform Review is a onetime process and will "stay" with the vendor across their work with EveryAction clients. This review is designed as a baseline audit of integration security best practices - no vendor trying to certifying at an appropriate tier should 'fail' this process.

In addition, many clients have their own vendor review. While some clients (especially those not working on voter file data) will accept the Platform Review in place of another formal process, larger clients will ask vendors to fill out an secondary review specific to their security guidelines.

Both review can often be completed in parallel, especially if you have a client who's looking to use this integration already in mind.

See below for a diagram outlining the step by step process a successful vendor will complete to have their integration live in production.

Left: productized vendor integrations
Right: one-off or custom build outsLeft: productized vendor integrations
Right: one-off or custom build outs

Left: productized vendor integrations
Right: one-off or custom build outs

General Tiers

My CampaignMy Voters
People11
Membership (People)2-
Activist Codes11
Canvass Responses11
Changed Entitites44
Codes11
Commitments2-
Contributions2-
Custom Fields2-
Designations2-
Disbursements2-
District Fields11
Email*1-
Event Types1-
Events1-
Export JobsSee belowSee below
File-Loading Jobs23
Financial Batches2-
Folders11
Locations1-
Merge Person4-
MiniVAN Exports23
Notes11
Online Actions Forms2-
Phones23
Printed Lists22
Relationships22
Reported Demographics22
Saved Lists23
Score Updates34
Scores34
Signups1-
Stories1-
Supporter Groups1-
Survey Questions11
Target Export Jobs23
Targets34
Users22
Voter Registration Batches-2

*note: this set of Email endpoints retrieve meta data about email messages sent via TGE, not actual email addresses. You can get a contact's email address using GET/people/{vanid} or via an Export Job.

Export Jobs

Export Jobs are the specific data points that are being pulled in an export. If you imagine a CSV, people records would be the rows while the fields in an export job are the columns. Use of the Export Jobs endpoint is generally not limited, but the fields included are tiered based off the security requirements mentioned above. As a reminder, voter data is a provided to EveryAction by the client or a separate vendor and as such is considered at a higher level of security. Developers with questions on this should feel free to reach out and we are happy to help connect you with the correct point of contact within a specific client organization.

My CampaignMy Voters
VanID11
FirstName12
LastName12
Address12
FullAddress12
StreetAddress12
City12
State12
ZipOrPostal12
ZipCode12
County12
Employer1-
Occupation1-
Email2-
HomePhone12
IsHomePhoneACellExchange23
CellPhone13
WorkPhone12
IsWorkPhoneACellExchange23
Phone12
OptInPhone12
OptInStatus12
OptInPhoneType12
CongressionalDistrict12
StateHouse12
StateSenate12
Party12
PollingLocation12
PollingAddress12
PollingCity12
HomePhoneDialingPrefix12
HomePhoneCountryCode12
HomePhoneID12
CellPhoneDialingPrefix13
CellPhoneCountryCode13
CellPhoneID13
WorkPhoneDialingPrefix12
WorkPhoneCountryCode12
WorkPhoneID12
PhoneDialingPrefix12
PhoneCountryCode12
PhoneID12
OptInPhoneDialingPrefix12
OptInPhoneCountryCode12
OptInPhoneID12
StateOrProvince12
OptInPhoneType12
StateFileID33
CountyFileID22
StreetNo12
StreetName12
VAddressLatitude12
VAddressLongitude12
Sex12
DOB22
PollingCity12
PollingZip12
PermanentAbsentee22
ReportedEthnicity22
ReportedLanguagePreference22
VoterVANID11
MyCampaignID11

🚧

Note on exporting addresses

Please note that the Address and ZipCode export fields only support US addresses while FullAddress and ZipOrPostal are present in databases that have international addresses enabled. The former should be used with My Voters while the latter is most often used with My Campaign.

Export Job Examples

For ease of use we will often issue developers a numeric export job type (for example Type ID 123) which will pull the same set of export fields every time it is used. VANID is unique to a contact record and often can be utilized in replace of PII. Some examples of frequently used export jobs are listed below.

Direct MailSMSRelational Organizing AppSaved List
VanIDVanIDVanIDVanID
FirstNameFirstNameFirstName
LastNameLastNameLastName
AddressAddressAddress
StreetAddressCityStreetAddress
CityStateCity
StateZipOrPostalState
ZipCodeCountyZipOrPostal
Zip4HomePhoneEmail
HomePhoneIDPhone
IsHomePhoneACellExchangePhoneDialingPrefix
CellPhonePhoneCountryCode
CellPhoneIDOptInPhone
WorkPhoneOptInPhoneDialingPrefix
WorkPhoneIDOptInPhoneCountryCode
IsWorkPhoneACellExchangeOptInStatus
PhoneOptInPhoneType
PhoneID
OptInPhone
OptInStatus
OptInPhoneID
OptInPhoneType