Catalyst Notify is built for the needs of charity services. It has processes in place to:

  • protect user data
  • keep systems secure
  • manage risks around information


On Notify, data is encrypted:

  • when it passes through the service
  • when it’s stored on the service

Any recipient data you upload is only held for 7 days.

If you send a file by email, the file will be available for the recipient to download for 18 months.

CAST acts as data processor for Notify. Your organisation is the data controller.

Data Protection Act

Notify complies with data protection law. To make sure it stays compliant, there are regular legal reviews of the service’s:

  • privacy policy
  • terms of use
  • approach to data sharing

Technical security

Protect sensitive information

Some messages include sensitive information like security codes or password reset links.

If you’re sending a message with sensitive information, you can choose to hide those details on the Notify dashboard once the message has been sent. This means that only the message recipient will be able to see that information.

User permissions and signing in

You can set different user permissions in Notify. This lets you control who in your team has access to certain parts of the service.

Two-factor authentication

To sign in to Notify, you’ll need to enter:

  • your email address and password
  • a text message code that Notify sends to your phone

If signing in with a text message is a problem for your team, contact us to find out about using an email link instead.

Information risk management

Our approach to information risk management follows NCSC guidance. It assesses:

  • how Notify is built
  • the infrastructure Notify is built upon
  • support for the Notify service

This approach also applies to the service providers Notify uses to send messages.

How we manage risks on Notify

Things we do to manage risks on Notify include:

  • formal risk assessments based on ISO 2700:2011 and National Cyber Security Centre guidance
  • CHECK-based testing, both annually and when any major changes are made to Notify
  • residual risk statement preparation and active management of the risk treatment plan
  • regular updates to the Privacy Impact Assessment
  • security impact assessments