Built for the elder board's review.

Multi-tenant isolation

Every church is fully isolated. Tenant scoping is enforced at the query layer — not as an application convention. No shared state, ever.

Role-based access control

Built-in roles: Member, Volunteer, Group Leader, Staff, Pastor, Finance, Admin, Executive. Confidential pastoral notes visible only to authorized roles.

PCI-aware payments

Online giving runs on a PCI-DSS compliant processor. The platform never touches a card number directly. Tokenized at the form, charged via the gateway.

Encrypted credentials

Per-organization API keys (OpenAI, payment processors, integrations) are encrypted at rest. Falls back to server-level configuration if no tenant key is set.

Encryption in transit

HTTPS-only across every surface. HSTS-eligible. Modern TLS, no legacy protocols. Public webhooks are signed and verified.

Audit trail

Every mutation — gift recorded, person edited, pastoral note added, role changed — is logged with user, timestamp, and source. Full replay per record.

Confidential by default

• Pastoral notes are visible only to authorized care roles — never to general staff
• Confidential prayer requests can be marked private or anonymous at submission
• Sensitive life events (illness, family crisis) are flagged and access-logged

Giving is treated separately

• Individual gift amounts are restricted to finance roles & the senior pastor
• Aggregate giving health is visible to executive pastors without exposing individual records
• Donor information is excluded from AI prompts unless required for a finance task

Member-facing controls

• Members can view and update their own profile, family, and communication preferences
• Each member sees only their own giving history & statements
• Right-to-be-forgotten / data export workflows for jurisdictions that require them

What is logged

• Every read of a pastoral note — who, when, from where
• Every export of a giving list — with reason annotation
• Every role grant or revocation — immutable audit log

Scoped & org-isolated

• Every AI call is scoped to the calling user's church — no cross-tenant data exposure
• The Pastoral Assistant is read-only: it analyzes data, it does not modify it
• Tenant-supplied OpenAI keys are honored when configured; otherwise platform keys are used

Rate-limited & tracked

• Per-user rate limits prevent runaway cost or abuse
• Every AI call is logged with user, model, token usage, and outcome for audit
• Cost-optimized models for high-volume paths; flagship models for the assistant & comms drafting

What is sent to the model

• Only the prompt context required for the task — not your entire database
• Pastoral notes & confidential prayer requests are excluded from generic prompts
• Donor PII is excluded from comms-drafting prompts unless personalization is explicitly requested

What is not

• Your data is not used to train third-party models (per OpenAI API terms for paid plans)
• The platform does not share church data across organizations — not for AI, not for benchmarking
• You can disable AI features per-tenant if your elder board requires it

Documentation for review

• Security questionnaire responses (SIG-lite, CAIQ format)
• Data Processing Addendum (DPA) on request
• Standard MSA & SaaS subscription terms
• Reference architecture & data-flow diagrams
• Insurance certificates on request

Deployment & onboarding

• Cloud-hosted SaaS — no servers to provision
• Per-tenant subdomain or custom domain
• Standard onboarding: campuses, ministries, people import in 2–4 weeks
• You can start with one ministry and expand
• CSV import for existing people, giving history, and pledge data

Church-friendly licensing

• Per-church pricing — no per-seat surprises
• Annual or monthly billing
• Discounted tiers for church plants and small congregations
• No-cost pilot programs for qualifying churches

Support & SLA

• Direct line to engineering — no Tier 1 maze
• Standard 99.9% uptime target
• Status page for incidents & planned maintenance
• Documented backup & restore procedures