home

ACST Policies & Guidelines

HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines
HelpDrawerRealmRealm AccountingMinistryPlatformGivingTest Giving_VersionsPDSACSConnectShepherdGrowth MethodHeadMasterRefresh WebsitesTrust CenterGo MethodMissionInsiteACST Content StandardsACST Policies & Guidelines

What would you like to know more about?

Show Contents

thumbnailACST Policies & Guidelines

Corporate Policies

Service Provider Security Policy

Purpose

To minimize risk by performing proper due diligence and ongoing monitoring of vendors that process, maintain, or store ACS Technologies Group, Inc. (“ACST”) sensitive data assets. Following this policy will assist ACST and its service providers to comply with state law, federal law, ACST policy, and client expectations.

Scope and Applicability

This policy applies to all ACST service providers.

Policy

ACST shall maintain a list of all service providers with whom Sensitive information is or may be shared.

  • Service Providers are expected to uphold the high standards set by ACST and comply with all applicable policies, procedures, laws and regulations.

  • Service providers who have or may have access to sensitive data shall sign an agreement agreeing to abide law, regulations and applicable ACST Policies. Such written records shall be maintained by ACST indefinitely.

  • ACST shall define the evidence that will be accepted to ensure service providers provide adequate security. Requirements for adequate security shall be included in contracts.

  • Prior to engaging any new service provider who may have access to sensitive data, ACST shall perform due diligence to ensure that the service provider has strong security processes and procedures. ACST shall require annually, at minimum, a signed SAS 70 Type II from all service providers.

  • Former service providers shall remain on the list and be noted as inactive.

  • At the end of the agreement, the service provider shall destroy the data or maintain it securely according to the agreement. ACST shall require the service provider to provide an affirmation, on company letterhead and signed by an officer of the company, that the data has been destroyed beyond reconstruction.

Enforcement

Any employee found to be in violation of this policy may be subject to corrective action, up to and including termination of employment. Service Providers found to be in violation this policy may be subject to financial penalties, up to and including termination of contract.

Variance Process

The Chief Ventures Officer is responsible for the review, documentation and management of any and all exceptions to this policy.

Last updated: May 28, 2025