Data Protection Policy

Last Modified: June 14, 2016

With today’s IT systems, it is possible to collect and unimaginably large amount of information and data very quickly. Unfortunately, external attacks, data theft and human error can lead to loss of your confidential data. At ChurchDesk we are focused on data security in all that we do. We do not only do what is necessary from a legal and regulations perspective, but to go beyond with further securing our operational setup and our apps. I will use this article to address some of the measures we take internally as well as how our server operator T-Systems got the extra mile to keep data secure. ChurchDesk servers are located in Frankfurt, Germany and is so secure that it is used by governments, health care, payment providers and financial service providers. We make sure that our customers data is safe at all time, both in transit and at rest.

General overview

ChurchDesk’s servers are located in Frankfurt, Germany within the EU Union and are run by T-Systems. T-Systems is a German global IT services and consulting company. Founded in 2000, it is a subsidiary of Deutsche Telekom. T-Systems is one of the largest and most secure data centre providers in the world. It is guaranteed that our customers’ and users’ data will never leave Germany. T-Systems provides multiple availability zones within the Frankfurt region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains. In addition to discrete uninterrupted power supply (UPS) and on-site backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers.

The technical facilities of Deutsche Telekom, T-Systems, has ISO27001 – authorization. The ISO27001 standard is an internationally recognized standard for evaluating the security of information and IT environments. This standard also covers requirements concerning planning, implementation, documentation and continuous improvement of information security to the smallest detail.

ChurchDesk is also evaluated by TÜV Informationstechnik GmbH. TÜV provides the necessary assurances with regard to EU data protection compliance and compliance with the Data Protection Act of 1998. ChurchDesk also complies with all technical industry standards. Download a copy of the European data protection law handbook, here.

Technical Audit – Reference No.: 300-097-14

Legal Audit – Reference No.: 300-097-14

The following provides an overview of the most important points to highlight with regard to your data protection with ChurchDesk.

  • ChurchDesk is committed to encrypt all communications between the servers and the ChurchDesk platform of the customer.
  • ChurchDesk undertakes to provide access permissions/ authorization processes specifying which users have access to personal data.
  • ChurchDesk will terminate log in capabilities after a certain number of failed log in attempts.
  • Customer data, that is processed by ChurchDesk and used by ChurchDesk will be exclusively for the operation of the platform. In addition this includes all data shared via customer support and any update processes.
  • In the event of contract termination by the customer, ChurchDesk is obligated to delete all data within 60 days after the last accounting period. As well as this ChurchDesk undertakes to ensure the same guidelines are enforced on the parishes in handling personal data in accordance with public authorities.

In more detail


T-Systems data centers

T-Systems data centers are state of the art, utilizing innovative architectural and engineering approaches. Deutsche Telekom has many years of experience in designing, constructing, and operating large scale data centers. This experience has been applied to the T-System platform and infrastructure. T-System data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. All physical access to data centers by T-System employees is logged and audited routinely.

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.


The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate and Temperature

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels. Management T-System monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.


DSI vCloud options

All storage classes are also available as Backup Integrated Disk Storage (BIS)

1) The online data storage is always situated within a data center location with the compute resources used by the customer. The customer can create VMware snapshots of its workloads/VMs in its booked data storage via the vCloud self-service portal. The data storage available is then reduced by the size of the snapshot. The snapshot is based on a copy via the vCloud Director. In the “high” storage quality, the data is also synchronously mirrored to the other data center location. The secondary data storage cannot be accessed in the self-service. Access to the secondary data store is switched by Telekom exclusively in the DR case and for all customers at the same time.

Security and network services

Telekom will provide a virtual firewall (vShield) that the customer can configure by adding new services to the routing table. The firewall separates services with Internet connection from all other internal services. The customer can also use load balancing, firewall NAT, and other vShield-based features.

Transmission Protection

ChurchDesk connects to a T-System access point via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery. For an additional layer of network security. Secure Shell is blocked by the firewall

Network Monitoring and Protection

ChurchDesk utilizes a wide variety of automated monitoring systems through T-Systems to provide a high level of service performance and availability. T-Systems monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts.


This system is placed upstream of the physical T-Systems firewall and acts as a reverse proxy. In addition, a virtual “vShield Edge” machine that processes the input of the reverse proxy is installed downstream of the Telekom firewall. The reverse proxy accepts connections on the following ports: 80, 8080, 8081, 443, and 8443. It translates the external IP address of the customer workload into an internal private address (NAT) of the customer workload. A search table that indicates the assignment of external to internal IP addresses is installed on the reverse proxy. The virtual vShield Edge firewall on the perimeter of the virtual data center enables the customer to route IP traffic to various VMs and to implement various expanded network services. This comprises the independent management of the firewall approvals, the NAT configuration, the configuration of the load balancing for the external vDC network of multiple customer VMs, and additional function.

Within the virtual data center, VMware-based firewall & load balancer functions are available to ChurchDesk in the self-service (vShield Edge). This enables customers to configure vApp network-related security settings (such as routing, port filtering, NAT) themselves. Any external network traffic (e.g., private network connections, secure Internet access, flexible Internet access) also terminate on a vShield Edge so that ChurchDesk can apply advanced settings (routing, NAT, port filtering, load balancing) there in the self-service.

Supported protocols and ports

The secure Internet access supports the HTTP and HTTPS communication protocols by default and uses the following ports: 80, 8080, 8081, 443, and 8443.

Disaster recovery capability

The DSI vCloud offering provides the customer with comprehensive disaster recovery functions in the self-service. DSI vCloud has been designed with fully redundant components on all levels to ensure high availability.

Data Transfer

All data transferred to and from ChurchDesk’s users and our servers are encrypted with a 256-bit SSL certificate. All data transfers to and from ChurchDesk’s mobile and browser apps are encrypted with this 256-bit certificate. All internal data transfers between ChurchDesk’s servers are protected by vShield Edge – which creates a secure and logically isolated portion of the T-Systems infrastructure.

Database Security 

ChurchDesk’s data is stored in an industry standard encrypted database using AES-XTS-PLAIN64 with a 512bit. All ChurchDesk’s data is synchronously replicated securely between multiple zones in the Frankfurt, Germany region for ChurchDesk. Furthermore, the database is backed up fully once every day. Between the daily full backups, 6 incremental backups are maintained. Furthermore all data is replicated to a hot standby database server to ensure high availability.

Data Backup ChurchDesk ensures that data stored on ChurchDesk’s platform is backed up at all times. ChurchDesk both uses full as well as incremental backups. ChurchDesk regularly makes restore-tests of former completed backups to ensure that the backup works as intended.


All files uploaded by the user will be scanned for virus before being accepted into the file archive.

Files that have been rejected by the virus scanner will not be backed up since they never touch the hard disks.

Access Control

All passwords of our users are hashed with unique salts. More specifically, the passwords are hashed using SHA512 with the use of an industry standard stretching technique. As such, if the database should have been compromised, an intruder would not be able to read the passwords.

The passwords has a minimum of 8 digits or characters. The password has to consist of three of the following: Uppercase, lowercase, numbers, special characters.
Failed log in attempts are registered and blocked for 24 hours after 5 failed attempts.



All employees in ChurchDesk who have access to personal data are authorized by ChurchDesk. Such authorizations indicate the access and for what purposes the individual employee has been given access to. ChurchDesk employees are only authorized to access the customers’ personal data for operational or technical purposes. ChurchDesk’s employees do not have access to personal data that is not covered by their authorization. The number of employees at ChurchDesk with this authorization is kept to a minimum. ChurchDesk verifies and updates authorizations continuously. Such authorizations will be adjusted or cancelled when an employee changes position, responsibility or resigns. ChurchDesk’s platform is set up so that the customer can authorize its employees based on roles with different permissions and rights. Other users of the solution must also be subject to authorizations that provide appropriate access. All new and revoked authorizations are logged.


All employees of ChurchDesk that may have access to personal data are in their employment agreements subject to confidentiality. Confidentiality is also maintained by ChurchDesk after the termination of ChurchDesk’s agreement with the customer. ChurchDesk employees are covered by confidentiality obligations even after their termination.


All access to personal data in connection with the use of ChurchDesk’s platform is automatically logged. The logging includes IP-address, time, username, type of use and the person the data pertains to. Should ChurchDesk access personal data based on a support or technical request from the customer, then this access is logged as well.

If you have any questions regarding our security feel free to contact [email protected].