Data Security Frequently Asked Questions
ACS Technologies Group, Inc., and its affiliates, their officers, directors, employees, or agents (collectively referred to as "ACST") creates software solutions to help churches, schools, and organizations fulfill their missions. You may be a visitor ("Visitor") to our websites ("Websites") or a customer ("Customer" or "Licensee") who purchased or is using our products and services (collectively, "Services").
We have a direct relationship with Customers that have created an account or a site with us and pay for our Services (e.g. denominational alliances, diocese, organizations, churches, parishes). These Customers may share licensed access to their account or site with authorized churches, organizations, or individuals. They are all considered our Customers, but we have different responsibilities to those with whom we have direct relationships. We'll specify when we're referring to particular kinds of Customers, otherwise we'll refer to "you" generally.
How does ACST ensure reliable access to its Services?
For Internet connectivity, we use several enterprise providers that deliver fast and reliable access to our Services. In the event that an Internet provider experiences a system failure, ACST has redundant connections in place as a backup.
How does ACST keep its Services Secure?
We monitor critical systems from multiple locations and collect historical data to ensure all systems are functioning at peak efficiency. We also analyze performance trends to help identify potential problems before they affect you.
Desktop Services
We deploy and maintain enterprise grade servers running industry standard operating systems in our data center. Using this combination of reliable services, we’ve been able to maintain uptime of over 99.99% historically.
Websites and Web-based Services
We partner with reputable hosting providers, including Amazon Web Services (“AWS”) to host and store our sensitive customer data. AWS commits to at least 99.99% uptime and has a solid reputation in the security industry. AWS is PCI DSS Level 1 compliant as a Service Provider, holds numerous compliance certifications, and also maintains SAS70 Type II certification.
How does ACST back up and recover Customer data?
There are distinct differences in how we can assist our Customers when they need help with data backup and recovery for our Desktop and Web-based Services. The time to recover or restore your data depends on the Services you use and the circumstances under which your data was lost.
Desktop Services
Our Support department can help desktop customers make a backup of their data, but we cannot recover or restore lost or corrupt data that is stored locally.
Web-based Services
We're able to take elaborate measures to ensure we can recover and protect your data from many scenarios.
- We back up data regularly and synchronize this data to our offsite disaster recovery location.
- We back up your entire database using multiple methods to increase the security and availability of your data.
- All the data you enter and leave in your ACST Web-based product is backed up.
- We encrypt and store all backups in redundant locations and have access to your data backed up for a maximum of six months. This means that if you removed data 7 months ago, that data will not be available in a backup.
- Customers who use Higher Ground for hosting services keep two months of full data retention with an additional three weeks of retention with regard to specific database backups.
How does ACST protect Customer data?
We use a combination of advanced hardware and software firewalls from leading network security providers. These firewalls secure your data from multiple threats (e.g. hackers, viruses, spybots, etc). Our staff continuously monitors logs and data points to ensure the integrity of our systems.
Can ACST provide a SSAE SOC report?
ACST has chosen not to obtain SSAE SOC reports as our industry doesn't require us to meet those auditing obligations. On an annual basis, ACST conducts an internal corporate risk assessment to assess the maturity of our security controls, using the Center for Internet Security ("CIS") 18 guidelines. The CIS 18 also maps the CIS controls to NIST SP800-53 and PCI DSS and offers anonymous comparison analysis against industry peer groups. We feel that the CIS 18 guidelines meet or exceed industry practices and provide an excellent benchmark.
Does ACST comply with PCI DSS?
Yes, ACST has met the criteria for PCI Compliance. For more information and a copy of our current Attestation of Compliance, visit this FAQ on PCI Compliance: PCI Frequently Asked Questions
What security measures are in place to protect Customer data?
Data center building access is controlled by keycard entry. All entry points into the building and into the data center are monitored by security cameras 24 hours a day. Data center room access is limited to network administrative staff only.
Does ACST have a power backup and disaster recovery plan in place?
Yes, our data center is protected by an Uninterruptible Power Supply. It is further protected by a commercial generator that can provide redundant utility power for our data and support centers, if needed. We also have a disaster recovery plan in place that is tested, reviewed, and updated annually with improvements.
Our relationship with our Customers is built on trust. Protecting your data is a responsibility we take very seriously.