Blackbaud does not allow customers to perform Vulnerability Scanning against our environments. From a legal perspective, these types of scans are not permitted. Due to the shared infrastructure of the Blackbaud hosted SaaS solutions, allowing individual client scans can result in service interruptions for other customers. So, to reduce potential impact to service to all our customers, we are not agreeing to allow these types of customer scans. This is for all Blackbaud hosted products.
Blackbaud provides PCI accredited environments to our customers and makes our PCI AOC and other audit reports available to our customers. There is no requirement for our customers to perform separate scans of these hosted environments. We already perform monthly internal and external vulnerability scans of all our systems. These reports, and the remediation actions for any findings, are reviewed and attested to by a 3rd party auditor as part of the annual PCI assessment and SOC 1/2 Audits.
Non-Blackbaud Hosted Sites
For more information on Blackbaud's responsibilities regarding PCI Compliance, please refer to our documentation here.
How to obtain a copy of PCI compliance certificates