Hosting Policies
Suran Systems, Inc. offers its CDM+ clients hosting of their data. As part of a paid subscription, the client’s CDM+ data is securely maintained on an off-site hosted server. The client’s CDM+ data is automatically backed up daily and is accessible from any computer that has CDM+ installed and is connected to the Internet (concurrent user licensing applies). Hosting is required to use CDM+ Mobile and Engage.
Access and Usage
Data hosted on Suran data hosting servers is available to any enrolled client with access to the Internet. Each connection to Suran data hosting servers is encrypted using 256-bit SSL connections. A unique hosting ID and password must be provided to access databases hosted on the server. Once authenticated with these credentials, users are prompted to authenticate with a standard CDM+ user name and password. Clients are only aware of their database(s) on any given hosting server. There is no limit to the number of databases or size of a database that can be created for a single church or organization. Suran Systems, Inc. does not monitor bandwidth or other usage for a given data hosted user. In essence, data hosting offers “unlimited” usage for the specific enrolled client.
Required Bandwidth
We are often asked what is the required Internet service bandwidth to use the CDM+ Data Hosting Service. The short answer is 5 Mb/s down and 1 Mb/s up via cable, DSL or fiber. But many factors other than downstream and upstream bandwidth can impact using CDM+ over the Internet, including high latency, poor quality of the Internet connection (such as WiFi in a building with concrete walls), or a heavy load at the connection (such as steaming music/videos or downloading large files). Our Data Services department would be happy to help you evaluate your connection prior to enrollment.
Hosting Facilities
All US-based data hosting servers are owned and managed by Suran Systems, Inc. and are co-located in enterprise-grade facilities around the world. We also offer hosting servers that we rent and manage directly for international clients. A client’s data will be hosted on the server that is geographically closest to their location for maximum performance. Each facility offers multiple redundant systems, from power to Internet connections to routing equipment. Each hosting server is monitored for potential problems and server load using automated monitoring software. In the event of server failure, additional server resources can be quickly mobilized to take over for the failed server. Any planned maintenance is conducted during off-peak hours and communicated to hosting customers in advance. Suran Systems, Inc. staff access to data hosting servers is tightly controlled. Administrative password rotation and enterprise-level firewalls configured against source IP addresses are employed to limit access and enforce security.
Backup Policy
Hosted databases are automatically backed up every night during off-peak hours. At any time, the prior 15 days’ worth of backups are available to the client. Clients can submit a request to have backups posted for download, restored as an additional database, or restored to replace their existing database. A person who has administrative rights in the client’s CDM+ database must submit such requests in writing. Automatic backups are stored in an off-site, secure location using Amazon’s S3 data storage service. This provides an excellent level of redundancy and availability regarding backups.
Note: Traditional licensed users can also initiate a backup at any time from within the client’s desktop software and the CDM+ data restored to a different server.
Software Updates
In some circumstances, it may be necessary for Suran Systems, Inc. to update clients to a specific version for continue compatibility with data hosting and related services, such as payment processing. Required updates are generally for technical or security reasons. Over time, Suran Systems, Inc. may also phase out data hosting services for older versions of CDM+. Clients will be given ample warning and upgrade information when support for a legacy version of CDM+ will be dropped from data hosting services.
Service Level Agreement
Suran Systems, Inc. will guarantee 99% uptime for access to data hosting services during a calendar year. This excludes planned maintenance windows, which will be announced via email in advance. Technical failures outside the control of Suran Systems, Inc. are also excluded from this uptime guarantee. Uptime is defined as the ability for a currently enrolled CDM+ client to authenticate with valid data hosting credentials, log into their database(s) and access their data using standard Suran Systems software. Defects in the CDM+ software that prevent access to a specific feature are excluded from this uptime guarantee.
In the event uptime fails to meet the guarantee listed above, Suran Systems, Inc. will extend clients’ data hosting enrollment by five (5) days for each one (1) day of outage. Cumulative downtime will be reset at the start of each calendar year. In the event of significant downtime, data hosting clients will be notified of the outage and informed of any subsequent extension to their data hosting service enrollment. Downtime periods less than 15 minutes in a 24-hour period will be excluded from downtime tracking.
Suran Systems, Inc. will also guarantee data durability within a 24-hour period to the best of our ability. The ensures that in the event of catastrophic server failure, changes that were made to clients’ databases at most 24 hours prior to the server failure will be preserved. The most current data available will be accessible via data hosting no more than 24 hours following the server failure. Catastrophic server failure is defined as system failure in either hardware or software that not only prevents immediate access to data but present significant challenges in restoring access to that specific server. Natural disasters, theft, vandalism or cyber-attack are also considered catastrophic server failure.
In the rare and unfortunate event that hosted data cannot be recovered with recent changes, or , Suran Systems, Inc. will work with clients to recover as much data as possible. Due to the irreplaceable nature of client data, this recovery will likely involve techniques specific to the situation. Suran Systems, Inc. will work with clients to develop a recovery plan and help to implement it as quickly as possible. As additional reparation for data loss, Suran Systems, Inc. may offer to extend data hosting, support enrollment or other services at no additional charge.
Cancellation Policy
Clients wishing to cancel their enrollment in the CDM+ Data Hosting Service must contact the Customer Service Department and complete a CDM+ Data Hosting Service Cancellation form. Upon receipt of the completed form, a customer service representative will contact the client to arrange a time to return their CDM+ data to them. If the client specifies on the cancellation form they do not wish to have their data returned to them, Suran will destroy it. By authorizing the destruction of their CDM+ data, the client holds Suran Systems, Inc. not liable for any harm caused by such action, either intentional or unintentional.
No refunds will be given for prepaid enrollment in a plan that includes hosting. Data hosting service enrollment should be canceled a minimum of 10 days prior to the next monthly automatic fee payment date to ensure sufficient time to transfer data without incurring another monthly charge.
Simply ceasing to access a hosted CDM+ database or (traditional licensed users only) backing up and restoring a database to a local server does not constitute cancellation of the CDM+ Data Hosting Service. The client must notify CDM+ Customer Service as outlined above.
Data Breach Policy
Suran Systems, Inc. uses internal controls to limit access to an organization's sensitive information, including personal identifying information (PII) stored in an organization's database. External access to an organization's databases is controlled by the organization itself through user accounts, mobile provisions, and configuration in specific products. For example, an organization hosting data with the CDM+ Data Hosting service can configure the Engage product so members in a group can access personal information for other members in the same group. It is the organization and its staff's responsibility for establishing this group membership and controlling the setting allowing members to access information for other group members. Another example of an organization's control is the level of access granted to view sensitive information stored in pastoral or visitation records by a user defined by the organization. It is the organization and its staff's responsibility to maintain appropriate restrictions to this data using the tools provided in Suran's software. There are other controls an organization can use to manage access to sensitive and PII information. The examples given here should not be considered an exhaustive list.
In the event an organization's data is unlawfully accessed by a 3rd party (data breach) due to a failure in Suran's internal controls, Suran Systems, Inc. will make a reasonable effort to determine the time and scope of the access and communicate it to the affected organization(s) and the appropriate law enforcement entities in a reasonable time following discovery of the breach. Suran will perform a root cause analysis of the breach and any necessary changes to prevent future unauthorized access using the same technique(s) will be made. Suran will provide a post-mortem of the breach to explain what happened, how it occurred, and what steps Suran has taken to prevent the breach from occurring again.
In the event an organization's data is unlawfully accessed by a 3rd party due to a failure in the organization's internal controls, Suran Systems. Inc. will make a reasonable effort to determine the time and scope of the access and communicate it to the affected organization(s). Suran will assist any law enforcement entities investigating the incident to the extent required by law and, if legally allowed to do so, communicate those efforts to the organization. Suran will also advise the organization on policy and configuration change to prevent future breaches using similar techniques.
At no time will Suran be considered liable for any damages, direct or indirect, due to a data breach, whether achieved due to internal failures in Suran's controls or failures by the organization in their controls.
Termination Policy
Suran Systems, Inc. reserves the right to terminate hosting service without cause at any time. The following policies apply when terminating a hosting account.
Termination for Non-Renewal
Unless explicitly defined as an on-going service, data hosting plans are paid in advance for a set period of time and expire at the end of that period. Suran Systems, Inc. will send renewal notices to the client beginning 45 days prior to the plan's explanation. If the client does not renew their plan or indicate intent to cancel service, Suran Systems, Inc. reserves the right to revoke access to the client's data until the plan is renewed or cancelled. Data whose access has been revoked for non-renewal will be preserved for a minimum of one year but may be permanently destroyed after one year.
Termination for Non-Payment
A client may enroll in automatic payment for data hosting services through direct bank withdrawal, credit/debit card charge, or another means of payment. In the event payment cannot be secured, Suran Systems, Inc. will contact the client to secure a viable payment method and payment for any missed periods. If the client cannot be reached to obtain payment or refuses to provide payment for the hosting service, Suran Systems, Inc. reserves the right to revoke access to the client's data until payment is received for all fees due for periods where data was available to the client. If the client indicates an intent to cancel the hosting service, payment for all fees due for periods where data was available to the client must be received before access to the data will be provided. Data whose access has been revoked for non-renewal will be preserved for a minimum of one year but may be permanently destroyed after one year.
Termination for Other Reasons
If Suran Systems, Inc. elects to terminate access to hosted data for any other reason, including cessation of its own business activities, Suran Systems, Inc. will provide the client access to their hosted data. Reasonable effort will be made to ensure the client is informed of the termination of hosting services and the client will be provided access to their data. It is the client's responsibility to ensure Suran Systems, Inc. is kept informed with phone, email, mailing address, and other contact information changes to ensure communication regarding the termination of service will be received by the client.