Security Audit

From time to time (at least once a year), we commission independent Internet security professionals to audit our security. We implement any findings and recommendations as a matter of priority.

Credit Card Data

At no time do we store your credit card details on our servers. Our payment processor, Paddle, handles payment processing on our behalf. Paddle ensures that all relevant compliance, such as PCI, is met. None of our staff, including management, have access to your credit card info. Got questions about our security? Ask us.

Acknowledgment Program

We don’t offer bug bounties. However, we acknowledge contributions here on our site.

Only the first researcher to report a specific qualifying issue is eligible for acknowledgment. Whether an issue is a qualifying issue, as well as eligibility for acknowledgment, are decisions taken by us at our discretion.


In order to qualify for acknowledgment, please follow these guidelines when reporting issues:

  • Report security issues via our email address. The address is [email protected].
  • Do not use automated scripts/tools without prior approval and scheduling. We understand the value of automated vulnerability detection scripts and software, but we ask you not to run automated scans of any kind without scheduling them with us in advance.
  • Only test our systems. Systems hosted by third parties do not qualify for acknowledgment.
  • Provide steps to reproduce the problem in our systems. Providing generic background information about a class of vulnerability without specific details about how our systems are vulnerable does not qualify for acknowledgment.
  • Please do not share your research or findings publicly until we’ve had time to research and release a fix for the problem.

Hosting Infrastructure

  • Our systems continuously monitor for failures and escalate to our team as needed to minimize downtime and prevent issues for our users. We strive for 99.95% uptime at least.
  • We keep extensive logs of all system activity.
  • We have two-factor authentication enabled for all servers, code hosting, and continuous integration services.

Application Layer

  • We check 3rd party code against known vulnerability databases.
  • Our policy-based authorization system ensures that each client’s data is segmented and contained within their own account.
  • All database queries are executed with parameter binding, preventing SQL injection attacks.
  • We use CSRF tokens to prevent cross-site request forgery.
  • All user-generated data is escaped on output, preventing XSS attacks.
  • We log all application errors (server-side and client-side) and log them to a bug tracker for review.
  • Data is always encrypted, both while in transit and at rest. In transit using strong, modern TLS. And at rest, we use one of the strongest block chippers available, 256-bit Advanced Encryption Standard (AES-256). Additionally, all secret keys are automatically rotated on a regular basis.

Testing & 3rd-Party Audits

  • We have a fully automated test suite that validates the expected system behavior when changes are made to the codebase.
  • We use an automated vulnerability scanner to monitor our app for possible security issues continually.
  • We check 3rd party code against known vulnerability databases.

Data Retention

  • All data is safely stored within the European Union, currently in Germany. This facilitates compliance with privacy regulations and leverages the EU’s strong standards for data protection.
  • Our MariaDB database has a rolling 2-day backup and is encrypted at rest.
  • User-generated content, such as sermons, files, and photos are stored in the Hetzner storage box.
  • People can optionally download their data and save it offline.