The Headline

Yes! Klemi uses industry standards for securing and protecting data.

The Detail

Security considerations can be divided largely into two significant areas – the security-orientated processes that Klemi enables and promotes, and the technical specifications it meets to protect those processes

UPDATE: you can see more on Klemi and the 2018 GDPR legislation here

Processes – promoting data protection principles

  • For the purposes of data protection, Klemi acts as a data processor used by individual
    churches who are the data controllers. The following paragraphs indicate how Klemi promotes DPA compliance.
    Schedule one (from DPA)
  • 1.4:
    Personal data shall be accurate and, where necessary, kept up to date.
    the audit function in klemi will allow churches to maintain accurate information on their congregation members and ensure that members are aware of the personal Data being held about them.
  • 1.5:
    Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
    They use of a single schema per Church tenant on klemi, allows us to easily remove user data when a church terminates its klemi account
  • 1.7
    Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
    This is of particular interest to Klemi as a data processor.
    A robust authentication system ensures that users’ Data is available only to those who should have access to it. Where pages are more easily accessible in the public domain (e.g. the ‘this_Sunday” page) and indicate information about users this is clearly signposted to administrators. Klemi has a consent field for holding members’ data and for sharing members’ data (e.g. in an address book), helping churches to implement good practice
  • 1.8:
    Personal data shall not be transferred to a country or territory outside the European
    Economic Area unless that country or territory ensures an adequate level of
    protection for the rights and freedoms of data subjects in relation to the processing
    of personal data.
    All personal data will be held in the Amazon web services Europe region.

Technical Specifications – protecting secure procedures

  • We are committed to using open source software with ongoing widespread usage, patching / updating code where appropriate.
  • We use Ruby on Rails’ built in safeguarding against XSS / SQL injection
  • We deploy in a secure, isolated production environment using Heroku SaaS see https://heroku.com/policy/security for in depth analysis
  • We hold no access passwords -> all authentication is given to major providers – Google / Facebook / Amazon using oauth2.
  • We additionally encrypt emails, addresses, phone numbers and postcodes for most member data. The exception is that user (i.e. only those with login) emails are held in the clear in our database.
  • We have a backup schedule that takes a full copy of our data daily, weekly and monthly. This data is stored in the EU region.
  • Interaction with Google services uses a service account. Credentials for this service account can be changed in the settings.
  • Audio files are saved to, and hosted on, Amazon s3.