Cyber Security Best Practices for Fluxx Users

Cyber security is a top priority for foundations and for-profits alike; stories of ransomware targeting foundations and hospitals proliferate across both Canada and the United States, while (a little too close to home) the Toronto Public Library also reported an incident late last year. Whether it’s employee, donor, client, or grantee information at risk, it is crucial to adhere to the highest possible standards of security and privacy. At Grantbook, our consulting philosophy is to explore challenges through the lens of people, process, and technology; we’ve collected our top recommendations with those areas of focus. Please note that while there are many applicable tips below for all organizations and systems, those using Fluxx as their grants management system will find some system-specific processes and functionalities that they can implement. 


We would like to preface this article by encouraging you to speak with whomever at your organization is responsible for your information technology and security—your chief security officer, perhaps, or a designated IT manager. This person should be well-versed in industry best practices, and may already have processes and guidelines in place. You can work together to develop comprehensive training programs and procedures for ongoing evaluation of your systems, as well as for the learning and development of your team and grantees. You may also consider organizing a one-time (or regular) evaluation of your team’s understanding of cybersecurity risks and realities, and how your foundation is actively safeguarding against them.


Related to the section above, ensure you have a process defined for identifying whom at your foundation is allowed to handle different types of support requests such as: resetting passwords, resetting MFA, assigning administrator privileges, linking users to organizations, etc. Many foundations who adopt Fluxx default to making every internal user (or staff member) an administrator, leaving you open to phishing attempts and causing more confusion than clarity when it comes to ownership of key security processes. We would recommend:

  1. Running a regular user audit
    1. Review user accounts to see what profiles and roles are assigned, what permissions those profiles have, and who has an admin account
    2. Fluxx data reports can facilitate this, as can a User Profile/Role dashboard
  2. Setting and enforcing strict security processes
    1. The ability to assign admin rights, reset user passwords and MFA should be limited to a select few
    2. Create a verification process before creating or resetting a user account (e.g. requiring a phone call or Zoom meeting to verify the user’s identity)
  3. Reviewing sensitive information storage
    1. Bank accounts should be locked and restricted from regular editing and viewing access
    2. Payment details should be subject to verification
    3. Core details like email address, organization name, tax ID, and physical address should not be changeable without a review
  4. Running a Fluxx system audit
    1. Ensure you are regularly reviewing your Fluxx instance to identify any gaps in your processes or opportunities to clean up your forms and data collection.

*Integrations and APIs can help minimize sensitive information stored in Fluxx (such as  

A view of some of the allowed and restricted changes to organization details within Fluxx.


  1. Set strong password requirements

This may seem straightforward—who among us hasn’t been through the song and dance of incorporating numbers, special characters, and a healthy amount of upper and lower case letters—and it is for precisely this reason that setting strong password requirements can be so easily overlooked as an effective tool for securing your Fluxx instance. When setting the attributes for acceptable passwords, you can not only include those basic considerations, but you can also limit the number of failed login attempts, or ensure the user’s password has not been recycled and previously used.

This may surprise you, but simply using password expiration (where you get a prompt every 60 or  90 days reminding you that it’s time to update your password) is no longer effective—and actually does more harm than good. As hacking methods become increasingly sophisticated and automated, it is ineffective to put the onus on users to continually create new passwords which are, more likely than not, going to resemble their most recent one for the sake of their memory and sanity. Luckily, the next section can alleviate that pain point.

  1. Use a password manager

A browser extension or app can completely eliminate the stress of creating and remembering passwords. While this is of course helpful for any individual user, it has the added benefit of acting as a repository for shared passwords as well (i.e. team/organization-owned accounts and memberships), and is especially useful for Fluxx admins who manage multiple accounts (e.g. test grantee, test reviewer). At Grantbook, we use LastPass and have enabled the browser extension for ease of use; as an added bonus, for MFA-enabled accounts, it eliminates the annoyance of needing to grab your phone to verify your identity, as LastPass will generate a TOTP (time-based one-time password) that you can simply copy and paste directly from the plug-in. 

A screenshot featuring LastPass, a password management tool that can store both individual and shared usernames, passwords, and one-time codes.
  1. Turn on MFA

Look, we get it: needing to verify your identity, sometimes across multiple devices, when you log in to a service you use daily is a pain. It can feel time-consuming, inefficient, clunky. But there is a reason why your account is 99.9% less likely to be compromised if you use multi-factor authentication, according to Microsoft’s Director of Identity Security, Alex Weinert: it adds an extra layer of security to your data and acts as a final line of defence against hackers. By asking for something you know (password), something you have (a one-time code via app or text), and something you are (face scan or fingerprint), tech systems and services are setting the bar high to confirm your identity.

If you’re using Fluxx, speak to your CSM (or reach out to and read the knowledge base article on what changes are required on your User form. 

We would also advise you to have a rollout plan for your grantees as you inform them of this change, when they can expect it to take effect, and why you are implementing it. The ideal time to share this information is during implementation; the second best time is now.

  • Export emails from Fluxx to announce the rollout plan and timeline.
  • Create a guide and support documents for your grantees: a link to which app or extension they need to install, and screenshots of the set up and use cases. 
  • Set up a help desk email/phone number, record a video, or run a webinar to walk them through the process step by step; remember that while many of us may accept MFA as matter of fact by now, your grantees may be experiencing this for the first time and will require extra support as they adjust to this new process. 

  1. Better yet, enable SSO

Single sign-on enables you to automatically sign in to different websites and platforms using your organizational credentials (email/password/MFA) to save time. Speak to your IT team about this option to understand any security and tech requirements you may already have in place; with their expertise, you can explore SSO solutions such as Google, Microsoft Azure, Okta, or Ping Identity (aka PingOne). 

It can be daunting to begin to tackle your organization’s cyber security needs; however, it is a basic courtesy and responsibility that you owe to your own team and your grantees, so they can safely perform both grantmaking and changemaking. Fluxx prioritizes security for all its users, and so do we at Grantbook. Reach out today to learn more about how we can help you implement the people, process and tech solutions above.

Kenny Li's headshot

Kenny Li

Implementation Consultant & Support Lead

Fluxx Practice Lead

On parental leave until August 2024.

Kenny has always been working at the intersection of technology and social good. His early days in community service started with volunteering for the local municipal innovation department, helping build websites for local businesses and providing technology tutoring to seniors at the local senior centre. He is especially fond of his experience volunteering to support the technical operations during the 2010 Vancouver Winter Olympic & Paralympic Games.

Before moving to Toronto, he completed his Bachelor’s in Business Administration at Simon Fraser University and worked in IT project management roles at Blackberry, TELUS, and Absolute Software.

Anir Bhatt

Implementation Specialist

Systems Design & Fluxx

Anir joined Grantbook as an Implementation Specialist in October 2022 - right after his tenure as a Senior Implementations Analyst at Medallia. He’s very passionate about social impact, and here at Grantbook, he aims to provide seamless software support and configuration expertise to the clients, for their grant-making requirements.

He holds a degree in Computer Engineering topped with a graduate certificate in IT Business Analysis. In his cross-functional career, Anir has worked to implement & support complex technical solutions, for clients across multiple sectors in US, Canada and India.

He also enjoys all things art (especially indie music), and volunteers with art & literature societies when he can. Most evenings - you’ll find him hiking/strolling outdoors, chilling with friends, or watching a movie!