Security

Last updated: November 21, 2025

Our production environment is hosted on AWS EC2 and protected with multiple layers of security. ChurchPlannerPro is designed with security as a foundational principle.

Network

The application is delivered through a Cloudflare Tunnel, so the server is not exposed directly to the public internet.
AWS firewall rules (Security Groups) are configured to restrict inbound access.
SSH access is limited to explicitly allowed sources.
Application and database ports are bound to localhost and are not publicly accessible.

Access Management

Administrative access to the server is controlled through SSH key authentication and operating-system permissions.
Cloudflare Tunnel configuration is restricted to authorized Cloudflare accounts.
Application secrets (API keys, database credentials) are stored outside of container images and protected with restricted file permissions.

Threat Protection

Cloudflare provides edge protection, including DDoS mitigation.
Additional controls such as rate limiting and firewall rules can be applied.
The server is monitored and can be configured with alerts for availability and health.

Information Protection

Data in transit is encrypted using TLS/HTTPS via Cloudflare.
The tunnel connection between Cloudflare and the server is encrypted.
Data at rest is stored on encrypted AWS storage volumes.

Backups

Nightly backups of the database can be produced and retained for a defined period.
Backups can optionally be copied to an external storage location for added resilience.

See our Privacy Policy and Terms of Use .