Passwords and Security

Learn about Realm security.

This section will introduce you to some of the security features in Realm.

Change Log

As an administrator with possibly hundreds of site users, you can't keep up with all the changes made in Realm. The Change Log tracks these activities and presents them in a sortable list.

You must be an administrator to view the change log. For more, see Responsibilities.

You don't have to turn on anything in order for the change log to work. It is always in the background, watching your site and logging the changes.

Log entries are deleted from your data automatically after 120 days.

The following updates are noted in the change log:

  • Announcements—Additions, updates, and deletions.
  • Realm Users—Any updates to the name, email, or roles of a user with responsibilities.
  • Personnel—When profiles are marked as personnel.
  • Congregants—When individuals or families are added, merged, deleted, marked inactive, marked active, or marked deceased. When an individual logs in and deletes his or her own account. When someone's account email (used to log in only) is changed, either by themselves or an administrator.
  • Ministry Areas—When any ministry area is added, deleted, or updated.
  • Locations—When locations used for events are added, deleted, or updated.
  • Groups—When any group is added, deleted, or updated. When group posts or comments are deleted. When an event is canceled, the entire series of an event–not just a single occurrence.
  • Contributions—When a posted or processed batch or gift is updated. When an administrator creates a one-time or recurring gift on behalf of a contributor.
  • Pathways—When a pathway or step is deleted. When a person is marked complete, deleted from a pathway, moved to a different pathway, or moved to a different step. When people are added to a pathway, either singly or in mass (through queries, dashboards, etc.). When people are reinstated for a pathway.
  • Events—When an event is deleted. When an individual's registration for an event is canceled.
  • Privacy—When users make changes to the privacy settings for individuals' profiles.
  • Personnel Migration—When personnel profiles are updated and when profiles could not be updated due to an error. Click the link to see the results, and review the printed report for details.

View and Print the Change Log

The Change Log records activity in your records.

  • You must be an administrator to view the change log. For more, see Responsibilities.
  1. In the top-left corner, click your ministry hub then System Settings. Then click Change Log. Changes made to the site are displayed in a grid.
  2. Click the filter icon to filter the list with the items you want to see or print. Click a column header to sort the list.
  3. Click the printer icon.
    The file will open as a PDF that you can download from your browser. You can also find the file in your Recent Report History.

Password Requirements

For better security, we ask that passwords meet certain conditions.

In order to provide account security, your Realm password must:

  • Be 8 or more characters long. There is no maximum limit on length. The longer a password is, the more secure it is. Each additional character makes it exponentially harder to crack.
  • Meet 3 of the following additional requirements:
    • Contain at least 1 uppercase character.
    • Contain at least 1 lowercase character.
    • Contain at least 1 symbol (!,@,#,$,%,^, and so on).
    • Contain at least 1 number.
    • Contain 15 or more characters.

Your password cannot:

  • Contain any 3-or-more-character sequence from your username or email. If, for instance, your username is JeffAnderson@example.com, your password could not contain "jeff" or "ander".
  • Include 3 or more repeating characters (such as 222).
  • Include 3 or more characters in sequence (such as 123, 321, or abc).

Forgotten Passwords

If you enter the wrong password 5 times in a row, you cannot try again for 5 minutes.

If you forget your password, click "Forgot your password?" and follow the instructions. You will be issued a temporary code which expires in 2 hours.

Send a Password Reset

If someone forgets a password, an administrator or user with permission can send a reset message with a link for creating a new one.

  • You'll need the View Details for Individuals permission.
  1. Locate and open the user's profile.
  2. Beside the person's name, click the ellipsis icon, select Send Password Reset, then Send.
    The password reset link expires 24 hours after you send the email.

Updating Privacy Settings for Someone Else

Registered users of your Realm site can view and register their privacy settings. But there might be times when you need to do it for them.

When you change an individual's privacy settings, he or she will be notified automatically by email. Changes are also recorded in the Customization History section of the Privacy page. In order to provide the most current information, the Customization History section displays privacy changes from the past 12 months.

When you change someone's profile privacy, Realm automatically sends them an email listing the new settings. (A popup message will remind you of this.)

But there is an exception to this safeguard. No email is sent if:
  • the owner of the profile does not have an email on file
  • the profile has not been opted in to the online directory

Security Takes All of Us

The security and privacy of your data is a shared responsibility.

Our relationship with our customers is built on trust. Protecting our customers' data is a responsibility we take very seriously. However, pastors and church leaders also bear responsibility in safekeeping data for members and the church.

People are increasingly sensitive about how their data is collected and used. The article can you help answer some basic questions, but you'll want to invest time and resources into creating a plan for your employees and volunteer leadership to follow. Please visit our legal section regularly for information about our legal policies, FAQs, and advice for security tips and best practices. If you have any other questions, please feel free to email us at risk@acst.com.

Tip: A subscription to MinistrySmart Pro Staff Pass provides access to several courses on the subject of protecting your church data. Log in to Realm. In the upper right corner, click the MinistrySmart Academy icon and search "Protecting Church Data" for a list of current courses.

Please visit our Church Growth blog for security and privacy related articles. In particular, check out these articles:

Information Security for Staff and Volunteers,

Information Security for Congregants and Parishioners, or

Security for Your Computer and Systems.

How ACST protects your Realm ChMS data

  • Realm ChMS is hosted in Amazon Web Services ("AWS") US East 1 regional zone. The computer servers hosting Realm are implemented using AWS recommendations and industry best practice security configurations. All server configurations are extensively documented for compliance with the Payment Card Industry Data Security Standard .

  • We encrypt and store all client data backups in redundant cloud storage locations for backup and disaster recovery with 24x7x365 access. Cloud storage data encryption uses AES 256 bit encryption.

  • Each individual church's data is stored in a multi-tenant relational database. Internally, each church's data is stored in its own table. The table is indexed and accessed solely using unique ID's in the database. Any data needed is called by an algorithm call to either post data to or retrieve the data back from the database, ensuring integrity and segmentation. No data crossover is possible using this method.

  • Only a limited number of authorized ACST employees located in the United States are allowed access to client data.

How you can help protect your data

  • Be sure you know you can see your personal information, and update your privacy settings accordingly.

  • Administrators should review new account registrations daily when your church is using the open-invitation model.

  • For the best experience, we recommend that you always update your browsers, whether you're using a computer, a tablet, or a mobile device. Using outdated browsers can introduce vulnerabilities and potentially allow malware or other threat actors into your system.

  • Keep your operating system current and check the system requirements of the software vendors you use. If they allow operating systems that have experienced "end of life", they pose a threat to your system - even if your computers are up to date. For example, as of January 14, 2020, Microsoft stopped supporting Windows 7.

  • Use strong, unique passwords and don't share passwords or logins with others.

  • Use antivirus software and update it daily.

View/Edit Someone's Privacy Settings

Registered users of your Realm site can view and manage their own privacy settings. But there might be times when you need to do it for them.

To view a user's privacy settings, you must have the Edit Individual permission set to Allow in your list of responsibilities. If an administrator marks information, such as emails or phone numbers, as visible to users, the View Details for Individuals permission must be set to Allow in order for the user to view the information.

For more, see Responsibilities.

  1. Locate and open the user's profile.
  2. Click to the privacy icon padlock icon with the word Privacy.
  3. A detailed list of settings opens.
    For people without a login, the check box Opt in to Online Directory is visible. If selected, this individual's profile is searchable by others in Realm, even if he or she never creates a login.
  4. Select one of the options to apply that setting to all information on the profile, or click Custom Privacy to select a setting for each field.
  5. Other members in this person's family display on the left. Click each family member's name, and select a privacy option.
  6. Click Save.

Cookies

Cookies are small text files most web sites create on your computer to "remember" your visit. They keep you from having to constantly sign in to the site, or keep the site from having to request your name, password, etc, every time you want to do something.

For comparison, imagine you had no ability to remember names. You would have to request someone's name many times during a long conversation. But if you wrote it down, you could just consult your note each time. The computers that serve up web pages have no human memory. If they don't record some basic information about you each time you log in, they won't remember who you are or what you were working on.

After a predetermined amount of time, most cookies are deleted by your computer. At that time, you will need to sign in again to Realm.

  • In the Realm mobile app, cookies last 2 weeks.
  • On the Realm website, the main session cookie lasts 24 hours, but continually renews as long as you are active on the site.

You can view our company's policy on cookies and related issues at any time. Click your name in the upper-right corner, and select the Privacy link at the bottom of the menu.