Data Security with ChurchDesk
At ChurchDesk we are focused on data security in all what we do. In the security of our operational setup and our apps, we go beyond what is necessary from a legal and regulatory perspective.
Our servers are located in Nuremberg and Falkenstein in Vogtland, Germany within the European Union and are run by Hetzner Online. With Hetzner Online it is guaranteed that our customers’ and users’ data will never leave the EU.
The technical facilities of Hetzner Online are ISO27001 certified. The ISO27001 is an internationally recognized standard for evaluating the security of information and IT environments.
ChurchDesk is compliant with the General Data Protection Regulation of the EU.
In the event of contract termination by the customer, ChurchDesk is obligated to delete all data within 60 days after the last accounting period.
- The application has built-in permission levels to be set for your teammates. Permissions that can be set includes settings, billing, user data, and the ability to send or edit messages.
- All passwords are stored with the strongest cryptographic hash technology possible.
- Your login will be blocked after several mistaken login attempts.
We monitor and publish our uptime. You can check our past month stats at https://status.churchdesk.com/
Network and application security
Data Hosting and Storage
- All customer data is stored in Germany at Hetzner Online. The technical facilities of Hetzner Online have ISO27001 certification.
- Customer data is stored on multiple dedicated servers in different locations.
- Data is stored using a zero-trust principle which means that all customer data is encrypted to prevent everyone, including the server provider Hetzner Online, from accessing the data.
- All our servers are protected with DDOS-protection.
- Our data center is protected by state of the art security, including 24/7 video surveillance. More information here.
- All data sent to or from ChurchDesk is encrypted in transit using 256-bit encryption.
- ChurchDesk is running daily backups.
- All backups are encrypted.
- We have multiple backup strategies and backup data is stored on multiple servers and locations.
- In the backup, we store your data for sixty (60) days.
All access to ChurchDesk is logged and stored for six (6) months after which it is automatically deleted.
Build Process Automation
- We have a functioning and frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
- We typically deploy code dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.
Organisational Security Features
ChurchDesk has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Incident Response Plan
- We have implemented a formal procedure for security events and educated our staff on these policies.
- When security events are detected they are escalated to our emergency alias, teams are paged, notified and assembled to rapidly address the event.
- After a security event is fixed we write up a post-mortem analysis in our status page.
- The analysis is reviewed in person, distributed across the company and includes action items that will make the detection and prevention of a similar event easier in the future.
Authorizations and Confidentiality
- Only employees at ChurchDesk with specific authorizations have access to your personal information.
- All employees of ChurchDesk that may have access to personal data are subject to confidentiality in their employment agreements. Confidentiality is also maintained by ChurchDesk after the termination of ChurchDesk’s agreement with the customer. ChurchDesk employees are covered by confidentiality obligations also after their termination.
All payments made to ChurchDesk by Credit Card, BACS or SEPA go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.
If you have any questions regarding our data security, please e-mail us at firstname.lastname@example.org.