Security

Artboard 8

Use of, Storage of, or Access to, Client Data

Safeguarding Client Data

a. System Security. A System that is owned or operated by Service Provider and contains Client Data shall be secured as follows:

  • 1. Service Provider shall implement controls reasonably necessary to prevent a breach.
  • 2. The System shall use secure protocols and encryption to safeguard Client Data in transit.
  • 3. Service Provider shall:
    • I. Limit administrative access to the System,
    • II. Limit remote access to the System,
    • III. Limit account access and privileges to the least necessary for the proper functioning of the System,
    • IV. Use named user accounts and not generic or shared accounts,
    • V. Enable an appropriate level of auditing and logging for the operating system and applications.
  • 4. The System shall allow the changing of System and user passwords.

b. Product Maintenance and Support

  • Service Provider shall have a process for the timely review, testing, and installation of patches essential for safeguarding the confidentiality, integrity, or availability of the System or Client Data.
  • Change management procedures shall be followed.
  • Service Provider shall ensure that the product is supported, provided that Client maintains the requisite subscriptions. Service Provider shall provide Client with notice months before the product becomes unsupported.

C. Data Protections

  • i. Service Provider shall only use, store, disclose, or access Client Data: I. In accordance with, and only to the extent needed to provide services to Client; and II. In full compliance with any and all applicable laws, and regulations
  • ii. Service Provider shall implement controls reasonably necessary to prevent unauthorized use, disclosure, loss, acquisition of, or access to Client Data. This includes, but is not limited to personnel security measures, such as background checks.
  • iii. All transmissions of Client Data by Contractor shall be performed using a secure transfer method

D .Service Provider access to Client systems

  • Client login credentials may be given to Service Provider requiring access to secured computer equipment located on-site at the Client for the purposes of scheduled troubleshooting, maintenance, or updates to software provided or supplied by Service Provider and installed on Client-owned computer equipment. In this case, the Client will provide the Service Provider with credentials for logging in locally or through a secured Virtual Private Network (VPN), if required.
  • As a condition of the Service Provider’s access to the Client’s computing equipment the Service Provider represents that they will not attempt to access any system(s) other than the one(s) absolutely necessary nor will the Service Provider use any computer equipment for any purpose that is unlawful.
  • All work performed by the Service Provider while connected to Client computing equipment is subject to monitoring by Client staff and verification by the Client Department or Division requesting the access.

Oversight

Data Breach

No Surreptitious Code

Compelled Disclosure

Termination Procedures

Survival, Order of Precedence

Definitions

contact cristo

Looking for easy-to-use software to help manage your church?

We'd love to show you what we built!

Start Guided Product Tour

star rateing cristo star rateing cristo star rateing cristo star rateing cristo star rateing cristo

Rated 4.9 stars – 560+ reviews on Capterra