Data Security with ChurchDesk

Last Modified: April 26, 2018

At ChurchDesk we are focused on data security in all that we do. We do not only do what is necessary from a legal and regulations perspective, but to go beyond with further securing our operational setup and our apps. This article addresses some of the measures we take internally as well as how our suppliers keep data secure.

Our servers are located in Nuremberg and Falkenstein in Vogtland, Germany within the European Union and are run by Hetzner Online. Hetzner Online is a German hosting provider and experienced data center operator. With Hetzner Online it is guaranteed that our customers’ and users’ data will never leave the EU.

The technical facilities of Hetzner Online have ISO27001 authorization. The ISO27001 is an internationally recognized standard for evaluating the security of information and IT environments. This standard also covers requirements concerning planning, implementation, documentation and continuous improvement of information security to the smallest detail.

ChurchDesk is compliant with the General Data Protection Regulation of the EU.

The following provides an overview of the most important points to highlight with regard to your data protection with ChurchDesk:

  • ChurchDesk encrypts all communications between the servers and the platform of the customer.
  • ChurchDesk undertakes to provide access permissions and authorization processes specifying which users have access to personal data.
  • ChurchDesk will deny login after a certain number of failed attempts.
  • Customer data, that is processed by ChurchDesk and used by ChurchDesk, will be exclusively processed for the operation of the platform. In addition this includes all data shared via customer support and any update processes.
  • In the event of contract termination by the customer, ChurchDesk is obligated to delete all data within 60 days after the last accounting period. As well as this ChurchDesk undertakes to ensure the same guidelines are enforced on the parishes in handling personal data in accordance with public authorities.

Product Security

Build Process Automation

We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.

We typically deploy code dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.

You can check our past months up time at our Status Page.

Infrastructure

  • All our servers are dedicated machines hosted by Hetzner Online.
  • Our data is spread across multiple servers to ensure a high uptime.
  • Hetzners firewalls together with our own network access control lists (ACLs) prevent unauthorized requests getting to our servers.
  • All our servers are protected with DDOS-encryption.
  • Our data center is protected by state of the art security, including 24/7 video surveillance.

Click here to read more about Hetzner Onine

Data

  • All customer data is stored in Germany at Hetzner Online.
  • Customer data is stored on multiple dedicated servers in different locations.
    Data is stored using a zero-trust principle which means that all customer data is encrypted to prevent everyone, including the server provider Hetzner Online, from accessing the data.
  • We do not have individual datastores for each customer. However, strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data. We have unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and one single test failing will prevent new code being shipped to production.

Data Transfer

  • All data sent to or from ChurchDesk is encrypted using 256 bit encryption.

Authentication

  • All passwords are stored with the strongest cryptographic hash technology possible.
  • Your login will be blocked after several mistaken login attempts.

Permission

  • The application has built-in permission levels to be set for your teammates.
  • Permissions that can be set includes settings, billing, user data, and the ability to send or edit messages.

Backup

  • ChurchDesk is running daily backups.
  • All backups are encrypted.
  • We have multiple backup strategies and backup data is stored on multiple servers and locations.
  • In the backup we store your data for sixty (60) days.

Organisational Security

Incident Response Plan

  • We have implemented a formal procedure for security events and educated all our staff on our policies.
  • When security events are detected they are escalated to our emergency alias, teams are paged, notified and assembled to rapidly address the event.
  • After a security event is fixed we write up a post-mortem analysis at our Status Page.
  • The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.

Authorisations

Only employees at ChurchDesk with specific authorisations have access to your personal information.

Confidentiality

All employees of ChurchDesk that may have access to personal data are subject to confidentiality in their employment agreements. Confidentiality is also maintained by ChurchDesk after the termination of ChurchDesk’s agreement with the customer. ChurchDesk employees are covered by confidentiality obligations also after their termination.

Logging

All access to ChurchDesk is logged and stored for six (6) months after which it is automatically deleted.

Policies

ChurchDesk has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

PCI Obligations

All payments made to ChurchDesk by Credit Card, BACS or SEPA go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.

If you have any questions regarding our data security, please e-mail us at support@churchdesk.com.