Elvanto ChMS Security FAQ

Where is my data physically stored?

Our servers are located across Australia, the United States and Europe to ensure your data remains close to home and easy to access. Although a lot of church database programs host their content all in one place, we find that this can cause privacy issues with conflicting international privacy laws. Our hope is that in having our servers across multiple countries, it will reduce the risk of this happening.

Australian Elvanto customers data is kept on Australian servers and are governed by the Australian data and privacy laws.

What are your service availability levels?

Our uptime is 99.9% (well above the industry average). To help ensure you can always access your account, our data centers feature state-of-the-art multi-phase power redundancy, industrial quality cooling, fire suppression and backup power generation systems.

How often do you run backups?

We make daily offsite backups of all data. Deleted information is kept for three months before being permanently deleted from the system.

Can I get access to the Database Schema?

No. As our system is cloud based and fully hosted, you cannot gain access to the database schema. Your best bet is to use our API, which we are continually expanding upon.

Can I keep an offline copy of my database?

No. You are able to export data to a CSV file as a backup, however!

How does Elvanto secure our information against unauthorized access?

There are a number of ways we secure your information against unauthorized access.

  • Elvanto has SSL Certificates installed to ensure your data is kept safe on any computer, hardened firewalls to keep the server safe and even CCTV surveillance and biometric access control at our data centres.

  • All databases and backups are encrypted at rest to ensure the safety of the data.

  • All passwords are hashed with unique salts.

  • We secure our login pages against brute force attacks - if a user fails to log in 5 times, they will get blocked (user will be unblocked when you send a reset password link to the user).

  • For access to your individual Elvanto account, we also give you the power to customise Access Permissions (a role-based access control feature) for your users. Access Permissions allow you to restrict a user’s access to various parts of the site. Only a super admin has the power to view and edit all parts of the site.

  • All of our team receive yearly privacy training, sign confidentiality agreements and only have access to what they need for their role.

 

How does the Facebook integration work?

Facebook integration is built using the OAuth2 protocol. Elvanto only accesses the person’s name, email, and profile picture which is used to create their account, or if their account is already created it will use their if no picture has been uploaded. Once integrated with the account, it simply gives users another way to log in using their Facebook credentials.

What encryption technology do you use for encryption at rest for your databases? 

We use Amazon Web Services to host our databases and rely on their technology and expertise to encrypt the data.

Do you block TLS 1.0 and TLS 1.1 for your client SSL connections?

We block TLS 1.0 but do not currently block TLS 1.1

How do you protect your database encryption keys from the platform administrators where you host your application?

Amazon Web Services handles this all for us and we don't have access to these keys.

How do you separate one customer’s data from another?

We have strict coding standards and checks in place as part of our development process to ensure customers data is kept separate.

Do you do regular application penetration testing or do you rely on the hosting platform to do that? If the later, which platform and services do you use?

Yes, we do penetration testing by third parties.