Security

Your church data, protected with the same care we'd want for our own.

Member rolls, giving history, prayer requests, kids check-in records — sensitive data that deserves real security, not a vague "industry standard" page.

Encryption at rest and in transit

TLS 1.2+ for all traffic. AES-256 for stored data. OAuth tokens and 2FA secrets encrypted with rotating keys.

Role-based access control

Pastor, treasurer, comms director, kids director, volunteer — every role sees only what they need. Audit log captures every change with before/after JSON.

2FA, SSO, and IP allowlisting

TOTP-based 2FA on every plan. SSO/SAML and IP restrictions on Enterprise for staff who require it.

Hosting on Vercel + Supabase

Both SOC 2 Type II certified. Data hosted in US East by default; EU and APAC residency available on Enterprise.

Honest about what we collect

We collect what's needed to run the product — not for selling, retargeting, or analytics partners. Our privacy policy is in plain English.

Compliance roadmap

GDPR + CCPA aligned today. SOC 2 Type I scheduled Q3 2026. DPA available for any tier; signable today for Enterprise.

Reporting a vulnerability

We take security reports seriously. If you've identified an issue, please email security@pewprep.com with details. We acknowledge within 24 hours, investigate, and credit reporters in our advisory unless they request anonymity. See /.well-known/security.txt for our security contact policy.