Security at Aria
Your church data is sacred. We protect it with enterprise-grade security measures so you can focus on ministry.
Data Protection
Each organization's data is fully isolated. Your volunteer information, interactions, and conversations are completely separate from other churches using Aria.
Encryption
All data is encrypted in transit using HTTPS/TLS. Passwords are securely hashed using industry-standard algorithms and never stored in plain text.
Access Controls
Role-based permissions ensure team members only access what they need. Owners, admins, leaders, members, and viewers each have appropriate access levels.
AI Privacy
All AI conversations are scoped to your organization. Your data is never used to train AI models and conversations are not shared between organizations.
Planning Center
Each organization connects with their own Planning Center credentials. API keys are stored encrypted and are never shared or accessible to other organizations.
Payments
All billing is handled by Stripe, a PCI-compliant payment processor. We never store credit card numbers or sensitive payment information on our servers.
Two-Factor Authentication
Protect your account with TOTP-based two-factor authentication. Use any authenticator app (Google Authenticator, Authy, etc.) plus backup codes for recovery.
Monitoring & Auditing
All administrative actions are logged in an audit trail with timestamps and IP addresses. Real-time error monitoring and automated dependency vulnerability scanning keep the platform secure.
Transport Security
- TLS 1.2+ enforced on all connections
- HTTP Strict Transport Security (HSTS) enabled
- Automatic HTTPS redirect for all requests
Security Headers
- Content Security Policy (CSP) to prevent XSS attacks
- X-Frame-Options to prevent clickjacking
- X-Content-Type-Options to prevent MIME sniffing
- Permissions-Policy to restrict browser features
Authentication
- PBKDF2 password hashing with SHA256
- CSRF protection on all forms
- Rate limiting on login attempts (automatic lockout after repeated failures)
- Minimum password complexity requirements
- Optional TOTP two-factor authentication with authenticator app support
- Hashed backup codes for 2FA account recovery
Multi-Tenant Isolation
- Organization-scoped database queries on all data access
- Middleware-enforced tenant context on every request
- Role-based permission checks at the view layer
Infrastructure
- Hosted on Railway with managed infrastructure
- PostgreSQL database with automated backups
- Environment variables for all secrets and credentials
Monitoring & Auditing
- Comprehensive audit logging of all administrative actions
- IP address tracking on sensitive operations
- Real-time error monitoring with Sentry (no personal data collected)
- Automated dependency vulnerability scanning via Dependabot
- Regular security audits with pip-audit
Responsible Disclosure
If you discover a security vulnerability, we appreciate your help in disclosing it responsibly. Please contact us directly so we can address the issue promptly.
security@aria.church