Data Security
At ChurchDesk we are focused on data security in all what we do. In the security of our operational setup and our apps. We go beyond what is necessary from a legal and regulatory perspective.
Data Security with ChurchDesk
At ChurchDesk we are focused on data security in all what we do. In the security of our operational setup and our apps, we go beyond what is necessary from a legal and regulatory perspective.
Our servers are located in Nuremberg and Falkenstein in Vogtland, Germany within the European Union and are run by Hetzner Online. With Hetzner Online it is guaranteed that our customers’ and users’ data will never leave the EU.
The technical facilities of Hetzner Online are ISO27001 certified. The ISO27001 is an internationally recognized standard for evaluating the security of information and IT environments.
ChurchDesk is compliant with the General Data Protection Regulation of the EU.
In the event of contract termination by the customer, ChurchDesk is obligated to delete all data within 60 days after the last accounting period.
Authentication
- All passwords are stored with the strongest cryptographic hash technology possible.
- Your login will be blocked after several mistaken login attempts.
Uptime
- We monitor and publish our uptime. You can check our past month stats at status.churchdesk.com
Network and application security
Data Hosting and Storage
All customer data is stored in Germany at Hetzner Online. The technical facilities of Hetzner Online have ISO27001 certification and are located in Germany.
- Customer data is stored on multiple dedicated servers in different locations.
- We store data according to the so-called “Zero-Trust” principle. This means that all customer data is encrypted by default, so that no one can access it without logging in via the authenticated ChurchDesk platform — not even the hosting provider.
- All our servers are protected with DDOS-protection.
- Our data center is protected by state of the art security, including 24/7 video surveillance (More information here).
Product Security
Encryption
- All data sent to or from ChurchDesk is encrypted in transit using 256-bit encryption.
Permissions
- The application has built-in permission levels to be set for your teammates. Permissions that can be set includes settings, billing, user data, and the ability to send or edit messages.
Backup
- ChurchDesk is running daily backups.
- All backups are encrypted.
- We have multiple backup strategies and backup data is stored on multiple servers and locations.
- In the backup, we store your data for sixty (60) days.
Logging
- All access to ChurchDesk is logged and stored for six (6) months after which it is automatically deleted.
Build Process Automation
- We have a functioning and frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
- We typically deploy code dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.
Organisational Security Features
Policies
- ChurchDesk has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Incident Response Plan
- We have implemented a formal procedure for security events and educated our staff on these policies.
- When security events are detected they are escalated to our emergency alias, teams are paged, notified and assembled to rapidly address the event.
- After a security event is fixed we write up a post-mortem analysis in our status page.
Authorizations and Confidentiality
- Only employees at ChurchDesk with specific authorizations have access to your personal information.
- All employees of ChurchDesk that may have access to personal data are subject to confidentiality in their employment agreements. Confidentiality is also maintained by ChurchDesk after the termination of ChurchDesk’s agreement with the customer. ChurchDesk employees are covered by confidentiality obligations also after their termination.
- Former ChurchDesk employees are also bound by the confidentiality obligation after the end of their contract.
PCI Obligations
- All payments made to ChurchDesk by Credit Card, BACS or SEPA go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.
Security Questions?
If you have any questions regarding our data security, please e-mail us at support@churchdesk.com.