Encryption
- In transit: All data is encrypted using TLS 1.3 between your browser and SteepleOS servers.
- At rest: Database storage uses AES-256 encryption. Sensitive fields like payment tokens and SSNs (if stored) receive an additional layer of field-level encryption.
Data Retention
- Active organizations retain all data for the lifetime of their subscription.
- After cancellation, data is retained for 90 days in case you reactivate. After 90 days, all data is permanently and irreversibly deleted.
- You can request immediate data deletion by contacting support, which is processed within 7 business days.
GDPR Considerations
If your church has members in the EU or EEA:
- Members can request a copy of all their personal data via the My Profile > Data Export option.
- Members can request deletion of their data. Admins process these under Admin > Privacy Requests.
- SteepleOS acts as a data processor on behalf of your church (the data controller). Our Data Processing Agreement is available upon request.
Member Data Protection Best Practices
- Regularly review who has access to sensitive data (financial records, contact details) using RBAC roles.
- Enable 2FA for all staff accounts that handle member PII.
- Avoid exporting member data to unencrypted spreadsheets. If you must export, delete the file after use.
- Use the audit log to monitor who accesses sensitive information.