Your congregation trusts you with their most personal information. SteepleOS is built from the ground up to honor that trust with industry-leading security practices.
Multiple layers of defense, from encryption to access controls, working together to keep your data safe.
All sensitive data encrypted at rest using AES-256-GCM, the same standard used by banks and government agencies.
TOTP-based two-factor authentication with backup codes. Mandatory for all admin accounts.
19 granular roles with 60+ permissions ensure staff only access what they need. Principle of least privilege enforced.
Each church’s data is completely isolated. Automatic query-level enforcement prevents any cross-organization data access.
Every action is logged with cryptographic integrity verification. Full audit trail for compliance and accountability.
Automatic account lockout, rate limiting, and Have I Been Pwned password checking protect against unauthorized access.
HTTPS enforced, HSTS with preload, Content Security Policy, and comprehensive security headers on every response.
Data export, retention policies, and privacy-by-design architecture. Your congregation’s data is handled with care.
SteepleOS aligns with recognized industry standards so you can confidently meet your compliance obligations.
Controls mapped to SOC 2 trust service criteria for security, availability, and confidentiality.
Full data subject rights support including export, deletion, and consent management.
Proactive defense against injection, broken auth, XSS, and all OWASP Top 10 vulnerability categories.
Payment handling follows PCI-DSS standards. No card data stored on our servers.
Authentication follows NIST digital identity guidelines for credential strength and lifecycle.
Transparency is core to our security posture. Here is exactly how your data is stored and protected.
Data hosted in SOC 2-certified US data centers via Supabase and AWS with automatic backups and failover.
TLS 1.3 encryption in transit. AES-256-GCM encryption at rest. Keys rotated on a regular schedule.
Automated vulnerability scanning and dependency auditing with rapid response to advisories.
We never sell, share, or monetize your congregation’s data. Your data belongs to your church, period.
From small congregations to multi-campus organizations, churches trust SteepleOS to protect their most sensitive data.