Security at Church Pictorial

🔒 HTTPS Everywhere

All connections to Church Pictorial are encrypted with HTTPS. HTTP requests are automatically redirected. We enforce HTTP Strict Transport Security (HSTS) with a one-year duration and preload eligibility, so browsers always use encrypted connections.

🛡 Content Security Policy

We enforce a strict Content Security Policy that blocks inline scripts, prevents clickjacking, and limits which external resources can load on our pages. This helps protect against cross-site scripting and injection attacks.

📡 Security Headers

Every response includes protective headers: X-Frame-Options set to DENY, content type sniffing prevention, and a strict referrer policy. These are industry-standard defenses against common web vulnerabilities.

👥 Three Privacy Tiers

You choose how your directory is accessed. Public directories are open to anyone with the link. Member-only directories require a one-time email verification code. Staff-only directories are restricted to logged-in administrators.

📱 One-Time Passwords

Member access uses one-time email codes instead of shared passwords. Codes expire after 10 minutes, are limited to 5 verification attempts, and no more than 3 codes can be sent to the same email per hour.

🛠 Organization Isolation

Every database query is scoped to the requesting organization. One church's data is never accessible to another church's administrators, members, or directory visitors. Admin sessions include no-cache headers to prevent browser-level data leakage.

🔨 Rate Limiting

Login attempts, verification code requests, and form submissions are rate-limited per IP address. This protects against brute-force attacks and automated abuse.

💳 Stripe-Hosted Checkout

All payment processing is handled by Stripe through their hosted checkout page. Your credit card number never touches our servers. Stripe is PCI DSS Level 1 certified.

✅ Webhook Verification

Payment notifications from Stripe are verified using cryptographic signatures before processing. Each webhook event is validated against the originating organization to prevent cross-account confusion.

📷 Upload Validation

Every uploaded photo is validated for file size (15 MB maximum), image format, and pixel dimensions before it is stored. Corrupted or non-image files are rejected.

🗃 Storage

Photos and directory data are stored on infrastructure managed by DigitalOcean in the United States. Storage encryption is provided by the infrastructure provider. Database connections use SSL when configured.

📓 Logging

Email addresses are masked in application logs (e.g., "u***@example.com") to reduce the risk of exposing personal information through operational monitoring.

New directories are blocked from search engine indexing by default. If you make your directory public, you can still prevent search engines from listing it. Private and member-only directories include noindex directives that instruct search engines not to crawl or display directory content.

📦 Export Your Data

Your directory data belongs to your church. While your account is active, you can export family information as CSV and download your directory as a PDF at any time.

🗑 Account Deletion

You can delete your organization and all associated data from the dashboard at any time. Deletion is permanent and removes all families, photos, directories, and account information.

📅 Data Retention

After a subscription ends, data is retained for up to 90 days to allow reactivation. After the retention window, expired accounts and their data are automatically purged.

If you have questions about how we handle your data, need details for your church's IT review, or want to report a security concern, email support@churchpictorial.com. You can also read our Privacy Policy for details on data collection, third-party processors, and your rights.