Bank-Level Security

Our Commitment to Security

At Flock, we understand that you're trusting us with sensitive prayer requests and personal information. We've built our platform with the same security standards that banks use to protect financial data.

Core Security Features

Prayer Privacy Protection

We respect the privacy levels you set for prayer requests:

• Group: Visible only to members of your specific group
• Leaders: Visible only to designated group leaders
• Private: Visible only to you and church leadership you authorize

These privacy settings are enforced at the database level through Row-Level Security policies, making it technically impossible for unauthorized users to access prayers—even if they tried to bypass the application.

Infrastructure Security

Hosting & Infrastructure

• Railway Cloud Platform: Enterprise-grade infrastructure with SOC 2 Type II compliance
• PostgreSQL Database: Industry-standard relational database with advanced security features
• Firebase: Google's secure authentication and real-time database platform
• DDoS Protection: Automatic protection against distributed denial-of-service attacks
• Web Application Firewall: Filters malicious traffic before it reaches our servers

Network Security

• TLS 1.3 encryption for all data in transit
• HTTPS enforced for all connections
• Secure API endpoints with rate limiting
• IP allowlisting for administrative access

Application Security

Secure Development Practices

• Parameterized Queries: All database queries use parameterization to prevent SQL injection
• Input Validation: Strict validation of all user inputs to prevent malicious data
• XSS Prevention: Content sanitization to prevent cross-site scripting attacks
• CSRF Protection: Token-based protection against cross-site request forgery
• Dependency Scanning: Automated scanning for vulnerable dependencies

Testing & Quality Assurance

• 1,821 automated tests with 76.21% code coverage
• Security-focused test suites for authentication and authorization
• Regular penetration testing
• Code reviews for all changes

Operational Security

Access Controls

• Multi-factor authentication required for all staff
• Principle of least privilege for system access
• Comprehensive audit logging of all administrative actions
• Regular access reviews and revocations

Monitoring & Incident Response

• 24/7 automated security monitoring
• Real-time alerts for suspicious activity
• Documented incident response procedures
• Security incident notification within 72 hours

Compliance & Standards

While Flock is not currently required to comply with specific regulations like HIPAA, we've built our platform to exceed industry security standards:

• Follows OWASP Top 10 security guidelines
• Implements security best practices from NIST framework
• Uses SOC 2-compliant infrastructure providers
• Regular third-party security assessments

Data Backup & Recovery

• Automated Daily Backups: Full database backups every 24 hours
• Point-in-Time Recovery: Ability to restore to any point within the last 30 days
• Geographic Redundancy: Backups stored in multiple geographic locations
• Encrypted Backups: All backups encrypted with AES-256
• Regular Testing: Backup restoration procedures tested quarterly

Your Role in Security

Security is a shared responsibility. You can help protect your account by:

• Using a strong, unique password
• Never sharing your login credentials
• Logging out on shared devices
• Reporting suspicious activity immediately
• Keeping your contact information up-to-date
• Reviewing group member permissions regularly

Reporting Security Issues

If you discover a security vulnerability or concern, please report it immediately:

Security Team: [email protected]
Support: [email protected]

We take all security reports seriously and will respond within 48 hours.

Questions?

If you have questions about our security practices or would like more detailed information, please contact us at [email protected].