With all the news about hackers, identity theft, and compromised servers, we certainly understand why you want to know your ChurchTrac data is safe. We designed ChurchTrac with security in mind, and we have done everything possible to keep ChurchTrac as safe as possible. This document outlines some of the steps we have taken to secure our system and your data.
We designed our application and infrastructure with security in mind from the beginning, not as an afterthought. We follow the latest coding standards and best practices, and our team undergoes periodic training to ensure they are educated on the newest issues and exploits. In the application, all inputted data is filtered, validated, and/or sanitized to protect against known vulnerabilities like cross-site scripting (XSS), database injection, etc. All of our code is thoroughly tested and reviewed prior to release to ensure that it meets our internal coding standards and best practices, and so that any potential security issues are discovered and eliminated before it is placed into production.
Additionally, our infrastructure is tailored to keep customer data sets isolated. This means that every ChurchTrac account is separated from other accounts in its own unique database. This is important because it means that if another one of our customers has an account that is compromised (by a weak or leaked password, for example), there would be no way for a malicious third-party to use a vulnerable account to access your account’s data. Most companies place all of their customer’s accounts into the same database, which means if one account is compromised, all of the accounts are potentially compromised.
Furthermore, account passwords are first "salted", then converted to a one-way, irreversible hash and never stored in plain text (hashing is better than encryption, which can be reversed). When you enter your password to log in to the application, the password you type is also hashed and compared against the hashed password that is stored for your user account. In this way, your password is not known, even by us, and cannot be reverse-engineered or compromised from our end. Password resets can only be sent to the email that you have provided to us.
Other sensitive data is hashed or encrypted before being stored in the database. User files are stored in a separate location, with access only being granted using auto-expiring signed URLs. This means that the content that you upload using ChurchTrac can only be accessed from within your account by providing the correct account credentials. Your files and data cannot be accessed through any other web URL or platform.
In addition to having a very rigorous hiring process, those that we do hire have very limited access to your data. We have strict policies in place which determine who has access to your data and to what extent. For example, our senior developers may have access to limited snapshots of your data in the event an error occurs. Certain members of our staff may, with your permission, access your data in order to assist you with troubleshooting an issue or to correct anomalies that develop when one of your users accidentally clicks the wrong thing. We never retain copies of your data, and never move your data outside of our secure environment.
For the customer side, we use a proprietary login process that ensures your account is safe from brute-force attacks. This means that we restrict the number of incorrect login attempts a user can have using rate limiting, preventing someone from trying to guess your account password.
We make sure that our servers and the services they run are up-to-date with the latest security patches. Also, when you use ChurchTrac you’re always getting the latest, most up-to-date version of our application. Additionally, we routinely subject our systems to rigorous security audits conducted by internal and third-party security experts.
A major source of account breaches that you hear about in the news involves hackers trying to gain access to credit card and banking information.
We never store ANY credit card or banking information. This applies when you make a payment to us, and also when your donor gives to your ministry through ChurchTrac’s Online Giving feature. In fact, we have implemented everything required to make sure we are Level 1 PCI Compliant regarding handling payments.
We utilize Stripe for all customer payments and online giving. Stripe uses a series of exchange tokens for relaying payment information so that your credit and debit card numbers never actually hit our server or system. We only store limited information to assist you with making payments and generating receipts, such as the last four digits of your card number, and the amount you paid.
When you use our Online and Text Giving features, ChurchTrac will automatically create an online batch within the Giving Screen. These giving records will contain the date, donor name, amount, and optional memo field provided by the donor. Outside of this information, we do not store or have access to any of the donor-provided payment information.
Our infrastructure is fully built on the Amazon AWS platform of services. AWS has a stellar reputation for security, reliability, and uptime.
All of our systems are fully redundant. We use a multiple-layer infrastructure architecture - load balance, application, database, and storage layer. Every layer is replicated and built on the most reliable web infrastructure available. Because all of our systems are redundant, if one of the parts of our service goes down, you will still have access to your data on a concurrent fallback system. This enables us to have an unprecedented 99.9999% uptime. Additionally, we're able to scale our resources up automatically during periods of high demand in order to accommodate virtually any number of simultaneous users or requests.
Backups of account data are performed regularly throughout the day, providing us with hourly, daily, weekly, and monthly backups of your data. We don’t retain backups forever, and they are stored offline and offsite to prevent unauthorized access.
Connection Encryption Every connection to your account uses the latest industry standard bank-grade TLS encryption. Non-encrypted communication between your browser and our server is not allowed.
Our system is monitored around the clock, using internal as well as external services. In case of a problem, we get a report in real-time and are instantly ready to take care of any potential issues.
Our whole system is behind multiple layers of security firewalls to prevent outside access to your account and data. Only the necessary server ports are open to the outside network, and the database itself is not accessible through any public network or port. Also, only authorized personnel, using SSH keys, have access to the system. We do not provide anyone with direct access to the server. A second proprietary firewall, developed by our team, detects and blocks potential threats in real-time.
The security of your data is our highest priority. While no online system is completely exempt from attack, we've taken all reasonable measures to protect you, your account, and your data, and we will continue to work to make sure your data is as secure as it can be.