Illustration of a church that looks like a vault

Your data is safe with us.

Our commitment to security.
One important consideration when choosing a software platform like Church Social is the privacy and security of your data. You can rest assured knowing that your congregation's data is safe with us. This is something we take very seriously. Church Social was built with security front-of-mind from day one, and it's something we continually improve on. The following outlines many of the things we do to protect your data.

Hosting Infrastructure

  • Our hosting infrastructure is managed with Heroku, a top-notch hosting platform-as-a-service in terms of security and redundancy. For more information about Heroku's security, see here.
  • We keep extensive logs of all system activity.
  • We have two-factor authentication enabled for all server, code hosting and continuous integration services.

Application Layer

  • We use a highly reputable, industry leading server-side web framework, called Laravel, which follows modern best security practices, especially when it comes to user authentication, session management, password hashing, encryption, etc.
  • Password strength is validated against Dropbox's zxcvbn password strength estimator.
  • We check 3rd party code against known vulnerability databases.
  • Our policy based authorization system ensures that each congregation's data is segmented and contained within their own account.
  • All database queries are executed with parameter binding, preventing SQL injection attacks.
  • We use CSRF tokens to prevent cross site request forgery.
  • All user generated data is escaped on output, preventing XSS attacks.
  • We log all application errors (server-side and client-side) and log them to a bug tracker for review.


  • Firewalls are utilized to restrict access to systems from external networks and between systems internally.
  • We use Cloudflare DNS security features to protect us from DDoS attacks, prevent hacks on customer data and block malicious bots.
  • We use Cloudflare's high level IP reputation to automatically block visitors exhibiting malicious behaviour.
  • We use Cloudflare's Web Application Firewall (WAF) service, which protects our app from many possible vulnerabilities, including the OWASP Top 10.


  • Our website and app are only available over an encrypted (SSL enabled) connection (HTTPS).
  • Passwords are one-way encrypted using the bcrypt hashing function.
  • Our PostgreSQL database is encrypted at rest.

Testing & 3rd-Party Audits

  • We regularly contract third-party web security firms to conduct thorough web application penetration test on the Church Social platform.
  • We have a full automated test suite which validates the expected system behavior when any change is made to the codebase.
  • We use an automated vulnerability scanner to continually monitor our app for possible security issues.
  • We check 3rd party code against known vulnerability databases.

Data Retention

  • Our PostgreSQL database has a rolling 4-day backup, and is encrypted at rest.
  • User generated content, such as sermons, files and photos are stored on Amazon S3, with versioning enabled.
  • Churches can optionally download their data and save it offline.