Your Church's Data Is Sacred.
We Treat It That Way.
Prayer requests, attendance records, personal struggles — your members trust you with their most vulnerable moments. We built Flock from the ground up to protect that trust with enterprise-grade security at every layer.
Security Built Into the Foundation
Security is not a feature we added later. It is the foundation everything else is built on — enforced at the database level, not just the UI.
Multi-Tenant Isolation
Your church's data is completely isolated from every other church on the platform. We use PostgreSQL Row-Level Security (RLS) — the same pattern used by enterprise SaaS platforms — to enforce data isolation at the database level. Even if there were a bug in the application code, the database itself would prevent cross-organization data access. Every query, every row, every operation is scoped to your organization.
Authentication
Flock uses Firebase Authentication, a Google-operated identity platform trusted by millions of applications. Members can sign in with Google OAuth or email and password. All sessions are managed via industry-standard JSON Web Tokens (JWT), which are validated on every request. Tokens expire and refresh automatically, and we enforce concurrent session limits to prevent unauthorized access.
Biometric Security
Flock supports Face ID and Touch ID for quick, secure access on supported devices. Biometric data never leaves your device — it is processed entirely by the operating system's secure enclave. Flock simply receives a confirmation that your identity was verified. This means leaders can check their dashboard or take attendance without typing a password, while maintaining strong security.
Prayer Privacy Levels
Not all prayer requests should be visible to everyone. Flock offers three privacy levels: Public prayers are visible to all group members. Private prayers are visible only to group leaders and pastoral staff — members never see them. Elevated prayers allow group leaders to escalate critical needs to the organization-wide intercessory prayer wall, where campus pastors and senior staff can coordinate care. Privacy is enforced at the database level, not just the UI.
Role-Based Access Control
Flock enforces five granular roles, each with specific permissions defined and enforced at the database level. Organization administrators manage church-wide settings and staff. Campus pastors oversee ministries within their campus. Ministry directors manage groups within their ministry. Group leaders manage attendance, prayers, and events for their group. Group members can submit prayers, chat, and RSVP. Permissions are checked on every database query — not just in the UI — so even API-level access respects role boundaries.
Encryption
All data transmitted between your device and our servers is encrypted with HTTPS (TLS). This applies to every API call, every chat message, every photo upload, and every page load. Our database connections are encrypted in transit as well. Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
Audit Logging
Flock maintains a comprehensive audit trail of sensitive operations. When staff members access member data, modify permissions, delete records, or perform administrative actions, those events are logged with timestamps, actor identity, and affected resources. This provides accountability and traceability for security-conscious church administrators.
Your Data Rights
We believe church members should have full control over their personal information. Flock supports GDPR-style data rights: members can request access to all personal data we hold, request correction of inaccurate data, request complete account deletion (including prayer requests, attendance records, and chat messages), and request a machine-readable data export. Churches own their data — we are custodians, not owners.
Technical Overview
| Layer | Technology |
|---|---|
| Data Isolation | PostgreSQL Row-Level Security (RLS) |
| Authentication | Firebase Auth (Google OAuth + email/password) |
| Session Management | JWT tokens with automatic refresh and session limits |
| Biometrics | iOS Face ID / Touch ID via Secure Enclave |
| Transport Encryption | TLS / HTTPS on all connections |
| Facial Recognition | AWS Rekognition (org-scoped collections) |
| Real-Time Data | Google Firestore with org-scoped security rules |
| Access Control | 5-tier RBAC enforced at database level |
| Audit Trail | Timestamped audit logs with actor attribution |
| Infrastructure | Railway (managed hosting) with automated deployments |
Questions About Security?
We take the security of your church's data seriously. If you have questions about how we protect your information, we'd love to hear from you.