Passwords and Security
Learn about Realm security.
This section will introduce you to some of the security features in Realm.
As an administrator with possibly hundreds of site users, you can't keep up with all the changes made in Realm. The Change Log tracks these activities and presents them in a sortable list.
You must be an administrator to view the change log. For more, see Responsibilities.
You don't have to turn on anything in order for the change log to work. It is always in the background, watching your site and logging the changes.
Log entries are deleted from your data automatically after 120 days.
The following updates are noted in the change log:
- Announcements—Additions, updates, and deletions.
- Realm Users—Any updates to the name, email, or roles of a user with responsibilities.
- Personnel—When profiles are marked as personnel.
- Congregants—When individuals or families are added, merged, deleted, marked inactive, marked active, or marked deceased. When an individual logs in and deletes his or her own account. When someone's account email (used to log in only) is changed, either by themselves or an administrator.
- Ministry Areas—When any ministry area is added, deleted, or updated.
- Locations—When locations used for events are added, deleted, or updated.
- Groups—When any group is added, deleted, or updated. When group posts or comments are deleted. When an event is canceled, the entire series of an event–not just a single occurrence.
- Contributions—When a posted or processed batch or gift is updated. When an administrator creates a one-time or recurring gift on behalf of a contributor.
- Pathways—When a pathway or step is deleted. When a person is marked complete, deleted from a pathway, moved to a different pathway, or moved to a different step. When people are added to a pathway, either singly or in mass (through queries, dashboards, etc.). When people are reinstated for a pathway.
- Events—When an event is deleted. When an individual's registration for an event is canceled.
- Privacy—When users make changes to the privacy settings for individuals' profiles.
- Personnel Migration—When personnel profiles are updated and when profiles could not be updated due to an error. Click the link to see the results, and review the printed report for details.
View and Print the Change Log
The Change Log records activity in your records.
You must be an administrator to view the change log. For more, see Responsibilities.
- Sign in as an administrator.
- Click . Changes made to the site are displayed in a grid.
- Click to filter the list with the items you want to see or print. Click a column header to sort the list.
- Click .The file will open as a PDF that you can download from your browser. You can also find the file in your Recent Report History.
For better security, we ask that passwords meet certain conditions.
In order to provide account security, your Realm password must:
- Be 8 or more characters long. There is no maximum limit on length. The longer a password is, the more secure it is. Each additional character makes it exponentially harder to crack.
- Meet 3 of the following additional requirements:
- Contain at least 1 uppercase character.
- Contain at least 1 lowercase character.
- Contain at least 1 symbol (!,@,#,$,%,^, and so on).
- Contain at least 1 number.
- Contain 15 or more characters.
Your password cannot:
- Contain any 3-or-more-character sequence from your username or email. If, for instance, your username is JeffAnderson@example.com, your password could not contain "jeff" or "ander".
- Include 3 or more repeating characters (such as 222).
- Include 3 or more characters in sequence (such as 123, 321, or abc).
If you enter the wrong password 5 times in a row, you cannot try again for 5 minutes.
If you forget your password, click "Forgot your password?" and follow the instructions. You will be issued a temporary code which expires in 2 hours.
Send a Password Reset
If someone forgets a password, an administrator or user with permission can send a reset message with a link for creating a new one.
- Sign in as an administrator or user with the appropriate permission.
- Open the user's profile.
- Beside the person's name, click , select Send Password Reset, then Send.The password reset link expires 24 hours after you send the email.
Updating Privacy Settings for Someone Else
Registered users of your Realm site can view and register their privacy settings. But there might be times when you need to do it for them.
When you change an individual's privacy settings, he or she will be notified automatically by email. Changes are also recorded in the Customization History section of the privacy page. In order to provide the most current information, the Customization History section displays privacy changes from the past 12 months.
When you change someone's profile privacy, Realm will automatically send them an email listing the new settings. (A popup message will remind you of this.)
- the owner of the profile does not have an email on file
- the profile has not been opted in to the online directory
Security Takes All of Us
The security and privacy of your data is a shared responsibility.
Our relationship with our customers is built on trust. Protecting our customers' data is a responsibility we take very seriously. However, pastors and church leaders also bear responsibility in safekeeping data for members and the church.
People are increasingly sensitive about how their data is collected and used. The article can you help answer some basic questions, but you'll want to invest time and resources into creating a plan for your employees and volunteer leadership to follow. Please visit our legal section regularly for information about our legal policies, FAQs, and advice for security tips and best practices. If you have any other questions, please feel free to email us at firstname.lastname@example.org.
Please visit our Church Growth blog for security and privacy related articles. In particular, check out these articles:
How ACST protects your Realm ChMS data
Realm ChMS is hosted in Amazon Web Services ("AWS") US East 1 regional zone. The computer servers hosting Realm are implemented using AWS recommendations and industry best practice security configurations. All server configurations are extensively documented for compliance with the Payment Card Industry Data Security Standard .
- We encrypt and store all client data backups in redundant cloud storage locations for backup and disaster recovery with 24x7x365 access. Cloud storage data encryption uses AES 256 bit encryption.
- Each individual church's data is stored in a multi-tenant relational database. Internally, each church's data is stored in its own table. The table is indexed and accessed solely using unique ID's in the database. Any data needed is called by an algorithm call to either post data to or retrieve the data back from the database, ensuring integrity and segmentation. No data crossover is possible using this method.
- Only a limited number of authorized ACST employees located in the United States are allowed access to client data.
How you can help protect your data
Be sure you know you can see your personal information, and update your privacy settings accordingly.
- Administrators should review new account registrations daily when your church is using the open-invitation model.
For the best experience, we recommend that you always update your browsers, whether you're using a computer, a tablet, or a mobile device. Using outdated browsers can introduce vulnerabilities and potentially allow malware or other threat actors into your system.
- Keep your operating system current and check the system requirements of the software vendors you use. If they allow operating systems that have experienced "end of life", they pose a threat to your system - even if your computers are up to date. For example, as of January 14, 2020, Microsoft stopped supporting Windows 7.
- Use strong, unique passwords and don't share passwords or logins with others.
- Use antivirus software and update it daily.
Privacy and the Online Directory
People are increasingly sensitive about their personal information being shared online. Use this reference to answer questions about privacy and the online directory.
What is the Online Directory?
Instead of a traditional, printed directory, the directory is in Realm. Being in the online directory means that your online community can see your profile listed when they click Directory in the main menu.
What's visible there?
If you're in the online directory:
- Your name and photo are visible to anyone with a Realm login.
- Your contact and personal information, unless you've updated your privacy settings to hide from view, are visible.
- Registered users in your church community will be able to see groups you belong to, if they're marked public. Group leaders and authorized users determine if groups are public, hidden, or only visible to certain users with permissions.
Who is/is not in the online directory?
- Registered users (aka users with a login), because they are automatically added to the directory.
- Anyone with the family position of "Child" who does not have a birthday in their profile. (Their privacy settings cannot be opened even by their parents.)
- Inactive profiles.
- Profiles of those who have been marked "deceased".
Who can change a congregant's privacy or add them to the online directory?
- Anyone with the Edit Individual permission.
- Family members with a "Primary" family position—head, spouse, or similar status—can change privacy settings for other members of their family; those with the family position of "Child" cannot change their own privacy; those with the family position of "Other" can.
- Registered users can change their privacy settings. (This does not apply to those with a family position of "Child").
For the most part, whenever a person's privacy is changed, Realm automatically sends an email to inform them of the update. This happens regardless of who made the change: the profile owner, a family member, or a user with permission. In the case where a child's privacy is updated, the email is sent to the primary members (typically parents) in the child's family.
Emails are sent whether the privacy change is made from an individual profile or, in mass, using custom queries.
If, however, the person does not have a login AND has not been opted in to the directory, no email will be sent. This is to minimize questions from individuals not active in Realm who may be confused by the purpose of the email.
View/Edit Someone's Privacy Settings
Registered users of your Realm site can view and manage their own privacy settings. But there might be times when you need to do it for them.
To view a user's privacy settings, you must have the Edit Individual permission set to Allow in your list of responsibilities. If an administrator marks information, such as emails or phone numbers, as visible to users, the View Details for Individuals permission must be set to Allow in order for the user to view the information.
For more, see Responsibilities.
- Locate and open the user's profile.
- Click to the privacy icon .
- A detailed list of settings opens.For people without a login, the check box Opt in to Online Directory is visible. If selected, this individual's profile is searchable by others in Realm, even if he or she never creates a login.
- Select one of the options to apply that setting to all information on the profile, or click Custom Privacy to select a setting for each field.
- Other members in this person's family display on the left. Click each family member's name, and select a privacy option.
- Click Save.
Cookies are small text files most web sites create on your computer to "remember" your visit. They keep you from having to constantly sign in to the site, or keep the site from having to request your name, password, etc, every time you want to do something.
For comparison, imagine you had no ability to remember names. You would have to request someone's name many times during a long conversation. But if you wrote it down, you could just consult your note each time. The computers that serve up web pages have no human memory. If they don't record some basic information about you each time you log in, they won't remember who you are or what you were working on.
After a predetermined amount of time, most cookies are deleted by your computer. At that time, you will need to sign in again to Realm.
- In the Realm mobile app, cookies last 2 weeks.
- On the Realm website, the main session cookie lasts 24 hours, but continually renews as long as you are active on the site.
For our company's policy on cookies and related issues, click Privacy at the bottom of any page in Realm.