With all the news about hackers and identity theft and compromised servers, we certainly understand why you’d want to know your ChurchTrac data is safe. We’ve designed ChurchTrac with security in mind, and we’ve done everything possible to keep ChurchTrac as safe as possible. This document outlines some of the steps we've taken to secure our system and your data.
We designed our application and infrastructure with security in mind from the beginning, not as an afterthought. We follow the latest coding standards and best practices, and our team undergoes periodic training to ensure they are educated on the newest issues and exploits. In the application, all inputed data is filtered, validated, and/or sanitized to protect against known vulnerabilities like cross-site scripting (XSS), database injection, etc. All of our code is thoroughly tested and reviewed prior to release to ensure that it meets our internal coding standards and best practices, and so that any potential security issues are discovered and eliminated before it is placed into production.
Additionally, our infrastructure is tailored to keep customer data sets isolated. This means that every ChurchTrac account is separated from other accounts in its own unique database. This is important because it means that if another one of our customers has an account that is compromised (by a weak or leaked password, for example), there would be no way for a malicious third-party to use a vulnerable account to access your account’s data. Most companies place all of their customer’s accounts into the same database, which means if one account is compromised, all of the accounts are potentially compromised.
Furthermore, account passwords are first "salted", then converted to a one-way, irreversible hash and never stored in plain text (hashing is better than encryption, which can be reversed). When you enter your password to log in to the application, the password you type is also hashed and compared against the hashed password that is stored for your user account. In this way, your password is not known, even by us, and cannot be reverse-engineered or compromised from our end. Password resets can only be sent to the email that you have provided to us.
Other sensitive data is hashed or encrypted before being stored in the database. User files are stored in a separate location, with access only being granted using auto-expiring signed URLs. This means that the content that you upload using ChurchTrac can only be accessed from within your account by providing correct account credentials. Your files and data cannot be accessed through any other web URL or platform.
In addition to having a very rigorous hiring process, those that we do hire have very limited access to your data. We have strict policies in place which determine who has access to your data and to what extent. For example, our senior developers may have access to limited snapshots of your data in the event an error occurs. Certain members of our staff may, with your permission, access your data in order to assist you with troubleshooting an issue or to correct anomalies that develop when one of your users accidentally click the wrong thing. We never retain copies of your data, and never move your data outside of our secure environment.
For the customer side, we use a proprietary login process that ensures your account is safe from brute-force attacks. This means that we restrict the number of incorrect login attempts a user can have using rate limiting, preventing someone from trying to guess your account password.
We make sure that our servers and the services they run are up-to-date with the latest security patches. Also, when you use ChurchTrac you’re always getting the latest, most up-to-date version of our application. Additionally, we routinely subject our systems to rigorous security audits conducted by internal and third-party security experts.
A major source of account breaches that you hear about in the news involve hackers trying to gain access to credit card and banking information.
We never store ANY credit card or banking information. This applies when you make a payment to us, and also when your donor gives to your ministry through ChurchTrac’s Online Giving feature. In fact, we have implemented everything required to make sure we are Level 1 PCI Compliant in regard to handling payments.
We utilize Stripe for all customer payments and online giving. Stripe uses a series of exchange tokens for relaying payment information, so that your credit and debit card numbers never actually hit our server or system. We only store limited information to assist you with making payments and generating receipts, such as the last four digits of your card number, and the amount you paid.
When you use our Online and Text Giving features, ChurchTrac will automatically create an online batch within the Giving screen. These giving records will contain date, donor name, amount, and optional memo field provided by the donor. Outside of this information, we do not store or have access to any of the donor-provided payment information.
Our infrastructure is fully built on the Amazon AWS platform of services. AWS has a stellar reputation for security, reliability and uptime.
All of our systems are fully redundant. We use a multiple layer infrastructure architecture - load balance, application, database, storage layer. Every layer is replicated and built on the most reliable web infrastructure available. Because all of our systems are redundant, if one of part of our service goes down, you will still have access to your data on a concurrent fallback system. This enables us to have an unprecedented 99.9999% uptime. Additionally, we're able to scale our resources up automatically during periods of high demand in order to accommodate virtually any number of simultaneous users or requests.
Backups of account data are preformed regularly throughout the day, providing us with hourly, daily, weekly, and monthly backups of your data. We don’t retain backups forever, and they are stored offline and offsite to prevent unauthorized access.
Connection Encryption Every connection to your account uses the latest industry standard bank-grade TLS encryption. Non-encrypted communication between your browser and our server is not allowed.
Our system is monitored around the clock, using internal as well as external services. In case of a problem, we get a report in real time and are instantly ready to take care of any potential issues.
Our whole system is behind multiple layers of security firewalls to prevent outside access to your account and data. Only the necessary server ports are open to the outside network, and the database itself is not accessible through any public network or port. Also, only authorized personnel, using SSH keys, have access to the system. We do not provide anyone with direct access to the server. A second proprietary firewall, developed by our team, detects and blocks potential threats in real time.
Despite all that we do to protect your data, there are a few potential issues that we cannot control or prevent from our side:
For these reasons we recommend that you limit the number of users who you grant access to your account and limit each user's permission level to only what is needed to perform their duties. Also, you should have rules in place that prohibit a user from sharing their credentials with others. If you suspect an account has been compromised, an administrator can remove that account or re-add it with new credentials. We also have a built-in user audit trail that allows an administrator to view actions taken by users when logged into the database.
You should also have a policy that a high-quality anti-malware application be installed on each system that accesses the service, particularly when using Windows-based computers. For further protection, avoid using browsers with known security vulnerabilities, like Internet Explorer, and keep your computers and browsers up-to-date with the latest security patches. We recommend using Google Chrome as the browser of choice.
Keep in mind that even a secure browser running on a secure computer can be compromised by third-party browser add-ons, such as browser toolbars and search bars. These add-ons often provide little to no benefit, and can actually cause your web experience to degrade, and they may even have access to data you enter on secure sites like churchtrac.com. We recommend that you disable and remove any third-party browser add-ons and use a native browser that is fully patched with the latest security updates.
Your users should also employ commonsense principles when using the application. For example, avoid logging in to the application on a public computer, and sign out of the application when you have completed your tasks. If you use the application to generate reports, make sure that any reports that contain sensitive or personal data are kept under lock and key or are shredded when their usefulness has expired.
The security of your data is our highest priority. While no online system is completely exempt from attack, we've taken all reasonable measures to protect you, your account, and your data, and we will continue to work to make sure your data is as secure as it can be.