Where is my data physically stored?
Tithely uses Amazon Web Services servers based in the USA for the majority of our product offerings.
For our Sites platform, we currently use Digital Ocean with servers based in Canada. Our Church Apps platform uses Microsoft Azure servers located in the USA.
For our Elvanto product, our servers are located across Australia, the United States, and Europe. Depending on where you are located in the world will determine which country your data is stored in. Australian Elvanto customers' data is kept on Australian servers and are governed by Australian data and privacy laws.
Does Tithely comply with privacy laws around the world?
Tithely is GDPR compliant which should satisfy the requirements of most privacy laws around the world. A few common privacy laws that our GDPR compliance should satisfy are:
- California Consumer Privacy Act (CCPA)
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
- South Africa’s Protection of Personal Information Act (POPIA)
- Australian Privacy Principles (APP)
In the event of a data breach, we follow our internal process for Mandatory Data Breach Notification.
Does Tithely comply with The Strong Customer Authentication regulation in Europe that requires the use of 3D Secure for card payments?
Tithely is 3D Secure compliant for churches in the European Union.
The donor will receive a pop-up on their device giving them the immediate next steps to complete the 3DS process.
What are your service availability levels?
Our uptime is 99.9% (well above the industry average). To help ensure you can always access your account, our data centers feature state-of-the-art multi-phase power redundancy, industrial quality cooling, fire suppression, and backup power generation systems.
How often do you run backups?
We make daily offsite backups of all data.
Can I get access to the database schema?
No. As our system is cloud-based and fully hosted, you cannot gain access to the database schema. Your best bet is to use our API, which we are continually expanding upon.
Can I keep an offline copy of my database?
No. You are able to export data to a CSV file as a backup, however!
How does Tithely secure our information against unauthorized access?
There are a number of ways we secure your information against unauthorized access.
- Tithely has SSL Certificates installed to ensure your data is kept safe on any computer, hardened firewalls to keep the server safe, and even CCTV surveillance and biometric access control at our data centers.
- All databases and backups are encrypted at rest to ensure the safety of the data.
- All passwords are hashed with unique salts.
- We secure our login pages against brute force attacks.
- For access to your individual Tithely account, we also give you the power to customize Access Permissions (a role-based access control feature) for your users. Access Permissions allow you to restrict a user’s access to various parts of the site. Only a super admin has the power to view and edit all parts of the site.
- All of our team receive yearly privacy training, sign confidentiality agreements, and only have access to what they need for their role.
Is Tithely PCI compliant?
All financial information is encrypted and stored by our banking partner to PCI DSS Level 1 compliant standards. PCI DSS Level 1 compliance is a set of rules stated by credit card companies and audited by an independent third party. It is the highest possible rating one can get in the electronic payment processing industry. Additionally, Tithely forces HTTPS for all transaction services using TLS.
Do you block TLS 1.0 and TLS 1.1 for your client SSL connections?
We block TLS 1.0 but do not currently block TLS 1.1 to allow for backward browser compatibility on donation forms.
How do you protect your database encryption keys from the platform administrators where you host your application?
Amazon Web Services handles this all for us and we don't have access to these keys.
Do you do regular application penetration testing?
Yes, we conduct yearly penetration testing using a third-party certified partner.