Security

How we approach protecting church data on Church Bright.

Transport & authentication

Deploy your site behind HTTPS (TLS). Staff sessions use signed JWTs; passwords are hashed with bcrypt. Role-based access applies to sensitive pastoral and financial data.

Data storage

Customer data lives in your configured database (typically MySQL/MariaDB). Restrict database access to the application server and backups only.

Secrets

API keys for Stripe, Twilio, and SMTP belong in environment configurationβ€”not in source control. Integration credentials stored for churches are masked in API responses.

Reporting issues

Found a vulnerability? Email security@churchbright.com with steps to reproduce; we take reports seriously.