> For the complete documentation index, see [llms.txt](https://compliance.hamanahel.in/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://compliance.hamanahel.in/data-protection-and-handling-policy.md). # Data Protection and Handling Policy ### 1. Introduction This Data Protection and Handling Policy outlines how we collect, store, process, protect, and manage data entrusted to us by churches, ministries, and other faith-based organizations using our Software-as-a-Service (SaaS) platform ("Hamanahel Suite"). We are committed to maintaining the confidentiality, integrity, and availability of client data and to implementing appropriate technical and organizational measures to safeguard personal, financial, and organizational information in accordance with applicable privacy and data protection laws. ### 2. Scope This policy applies to all systems, infrastructure, applications, personnel, contractors, and third-party service providers involved in the operation and support of the Platform. It covers all data processed through the Platform, including: * Church and organizational records * Member and family information * Financial and donation records * User authentication data * Event and communication data * Media and document uploads * System logs and audit records ### 3. Data We Process Depending on the modules and features utilized by a client organization, the Platform may process the following categories of data: #### 3.1 Personal Information * Names * Addresses * Phone numbers and contact details * Email addresses * Locations * Dates of birth * Wedding or anniversary dates * Family relationships and household information * Member profile information #### 3.2 Organizational Data * Church membership records * Ministry participation records * Event registrations * Communication preferences * Volunteer information * Attendance records #### 3.3 Financial Information * Donation history * Contribution records * Accounting and ledger information * Financial reports * Transaction records * Bank account information where required for operational purposes #### 3.4 Authentication and Access Data * Usernames * User roles and permissions * Authentication tokens * Password #### 3.5 Media and Content * Uploaded documents * Photos and media files * Event-related content * Church communications and announcements #### 3.6 Special Categories of Data Certain deployments may include voluntary information such as: * Blood group information for church directories or emergency assistance programs * Emergency contact information Such information is processed solely for the purposes authorized by the client organization and the data subjects. ### 4. Infrastructure and Hosting Security The Platform is hosted on service provided by leading cloud providers designed for security, resilience, and scalability. #### 4.1 Core Services Subprocessors * Microsoft Azure * Amazon Web Services * Oracle Cloud Infrastructure * OVH #### 4.2 Ancillary Services Subprocessors * Cloudflare * Sentry * Openprovider * GoDaddy * Spaceship * PostHog * Laravel Nightwatch * Google Firebase * Google Cloud Platform * Meta | Whatsapp Business API #### 4.4 Distribution Services * Apple App Store * Google Play ### 5. Data Storage and Protection #### 5.1 Database Security Client data is stored within Azure Database for MySQL Flexible Server or equivalent managed database services. Security controls include: * Encryption at rest * Automated backups * Point-in-time recovery #### 5.2 File and Media Storage Uploaded documents, photos, and other files are stored using secure storage systems with access controls and tenant-specific permissions. #### 5.3 Encryption **Data in Transit** All data transmitted between: * Users and the Platform * Mobile applications and APIs * Platform services and databases is protected using TLS/SSL encryption. **Data at Rest** Databases, backups, and storage systems utilize industry-standard encryption technologies to protect stored information. ### 6. Tenant Isolation and Multi-Tenancy The Platform is designed as a multi-tenant SaaS solution. To ensure client data remains segregated: * Tenants are logically isolated from one another. * Access controls enforce tenant boundaries. * Users can only access data belonging to their organization. * Administrative functions are restricted according to role and tenant permissions. ### 7. Access Control and Authentication #### 7.1 Authentication The Platform enforces secure authentication mechanisms including: * Session-based authentication * Token-based authentication where applicable * Password hashing using modern cryptographic algorithms such as BCrypt or Argon2 Plain-text passwords are never stored. #### 7.2 Role-Based Access Control (RBAC) Access to information is governed through Role-Based Access Control (RBAC). RBAC enables: * Granular permission management * Role-specific access to screens and features * Controlled Create, Read, Update, and Delete (CRUD) permissions * Restriction of sensitive administrative functions #### 7.3 Administrative Access Access to production systems is limited to authorized personnel who require access for operational support, maintenance, or security purposes. ### 8. Application Security The Platform incorporates multiple layers of security controls. #### 8.1 Secure Development Practices Security measures include: * Parameterized database queries * ORM-based data access patterns * Input validation * Output encoding * Protection against SQL injection attacks * Protection against common web application vulnerabilities #### 8.2 Audit Logging Critical system activities may be logged, including: * Authentication events * Permission changes * Sensitive data modifications * Administrative actions Audit logs assist in security monitoring, compliance, and incident investigations. #### 8.3 Data Export Controls When generating reports or exports such as: * Excel spreadsheets * PDF reports sensitive security information, authentication credentials, and password hashes are excluded from output files. ### 9. Caching, Queues, and Temporary Data The Platform may utilize technologies such as Redis and queue-processing services to improve performance. These systems are used for: * Session management * Application caching * Background job processing * Notification delivery Sensitive personal information is not intentionally retained in temporary caches beyond operational requirements. These services operate within secured private infrastructure and are not publicly accessible. ### 10. Data Retention and Deletion We retain client data only for as long as necessary to: * Deliver the Platform services * Meet legal obligations * Satisfy financial reporting requirements * Resolve disputes * Enforce contractual obligations #### Data Deletion Requests Upon a valid request from a client organization or authorized user, data may be deleted in accordance with applicable laws and contractual obligations. Deletion procedures may include removal from: * Production databases * Storage systems * Authentication services * Operational environments Backup retention periods may affect the timing of complete removal from archival systems. ### 11. Incident Response and Breach Management In the event of a suspected or confirmed security incident, we follow a structured incident response process. #### Containment We may: * Disable compromised accounts * Restrict system access * Isolate affected infrastructure * Update security controls and firewall rules #### Investigation Our team will: * Assess the scope and impact * Review logs and monitoring systems * Determine root causes * Document findings #### Notification Where required by law or contractual obligation, affected clients and relevant regulatory authorities will be notified within applicable timeframes. #### Remediation Following an incident, corrective actions will be implemented to reduce the likelihood of recurrence. ### 12. Client Responsibilities While we maintain extensive security controls, client organizations are responsible for: * Managing user access appropriately * Assigning permissions responsibly * Protecting account credentials * Maintaining accurate user information * Reporting suspected unauthorized access promptly ### 13. Policy Review and Updates This policy is reviewed periodically to ensure alignment with: * Changes in technology * Security best practices * Regulatory requirements * Infrastructure updates * Operational changes Material changes to this policy may be communicated through the Platform or other appropriate channels. ### 14. Contact Information Questions regarding this policy, security practices, or data protection matters may be directed to: Hamanahel Software Solutions Private Limtied --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://compliance.hamanahel.in/data-protection-and-handling-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.