The new Concord is the most secure version of Concord ever built.
When building an entirely online version of Concord, we recognized that some customers may be reluctant to put their private Concord data into an online service. In anticipation of this, we built Concord using a number of industry-standard security systems and implemented several procedures to protect your data. These methods take many practical steps to avoid the common issues that trouble many services on the Internet.
The Privacy of Your Data
We take the privacy and security of your data seriously. The data which users place in Concord are often personal and sensitive. A collection of citations for readings at Church services, for example, would likely not be considered by the creator as needing lots of protection. In contrast, a collection of citations from a user’s Christian Science Association or notes from Primary Class instruction are personal in nature. Users would expect that data to be kept private and secure. Additionally, we know of Christian Science practitioners, nurses, and teachers who use Concord to support their work in a variety of ways. In general, many users also turn to Concord to address deeply personal or confidential issues and thoughts. We love that users want to embrace Concord in different ways and we want to do everything we can to make Concord a safe place that supports each individual’s spiritual growth.
We need your help in protecting your account. The only way that Concord knows which account is yours is when you log in with your unique username and password. If someone else is able to guess your password, then many of our security protections are rendered ineffective. As such, we ask our users to create a strong password with the following requirements:
Passwords must be 11 characters (or longer)
There must be at least 1 uppercase and lowercase character
The system also checks to make sure your password does not contain common words or elements of common passwords that hackers could use to break your password more easily.
TIP: If you are using your own computer you can use your web browser's password “save” functionality to always remember the password for you. By doing this, you won't have to type the password every time. See the knowledge base article here for instructions on how to set up your browser to do this. NOTE: To protect your Concord account, do not save your password if you are on a public or shared computer.
Here are some additional security protections:
We protect the networks used by our servers with a number of standard security measures including firewalls and unified threat management systems.
We have an independent cybersecurity organization run periodic penetration tests on the Concord infrastructure and in the Concord application itself. We prioritize the repair of any findings.
We developed Concord with the Java Spring Security framework to help protect against common code-based attacks.
We install a minimal number of packages on the Concord servers and patch them regularly. This protects against using software with known security vulnerabilities.
All communications between our servers and yours are encrypted using SSL/TLS certificates. Our certificates use an RSA 2048-bit key, have HTTP Strict Transport Security (HSTS) enabled, and have disabled protocols that could be used to execute a downgrade attack on the certificate.
All passwords are protected with a 10-round bcrypt hashing algorithm using a 128-bit salt and 184-bit hash.
Data fields that could contain sensitive data such as citations, comments, lists, etc. are stored in the Concord database using AES-128 encryption with a SHA-512 hash.
We take the security of your data seriously. If you believe your account data has been compromised in any way, please contact the Customer Care Center at 1-617-450-2700. We hope you trust Concord to store your data securely.