Ancient Design
Security & subprocessors

How we keep parish data safe.

A small, scrutable list of vendors. Encryption in transit and at rest. Audit logs on every administrative action. A real incident-response process — not a checkbox.

The short version

  • Every connection to Symphonia is TLS 1.3.
  • Database is encrypted at rest with AES-256.
  • Backups run nightly, retained 30 days off-site (encrypted).
  • Every administrative action writes to an append-only audit log.
  • Two-factor authentication required for AD staff; recommended for parish admins.
  • No PII flows to third-party analytics. Ever.
  • We notify affected parishes within 72 hours of any suspected breach.

Subprocessors

To operate Symphonia we engage the following subprocessors. We will give 30 days' notice before adding any new subprocessor that handles parish data.

VendorPurposeLocationDPA
Cloudflare CDN, DNS, R2 object storage, DDoS protection Global DPA →
Postmark Transactional + bulletin email delivery United States DPA →
Stripe Online giving + subscription billing United States DPA →
Telnyx SMS broadcasts + 2FA United States DPA →
Sentry Application error tracking (no PII) United States DPA →
OpenAI
Opt-in per parish — disabled by default. Audio not retained.
 Sermon audio transcription (Whisper API only) United States DPA →
Hetzner Application servers + Postgres database Germany / United States DPA →

Data access & isolation

Each parish's data is partitioned by parish_id at the row level. The application enforces parish-scope on every query that returns or mutates parish data. Cross-parish reads are only possible for explicitly designated AD staff, and every such access is audit-logged with the staff member's identity.

Parishioners can only see their own household's data through the parishioner portal. There is no "list all parishioners" endpoint exposed to parishioner-role accounts — directory visibility is opt-in, controlled by each member.

Backups & recovery

The Postgres primary is backed up:

  • Continuously via WAL streaming to a hot standby (RPO ≤ 30 seconds)
  • Nightly full dump to encrypted R2 (retained 30 days)
  • Monthly snapshot to cold storage (retained 12 months)

We test restores quarterly against a parallel database and document the result in our disaster-recovery runbook (see /admin/dr for AD staff).

Incident response

If we become aware of unauthorized access to parish data, we notify affected parishes within 72 hours via email to the registered admin contacts. Within 30 days we provide a written post-mortem covering: what happened, what data was accessed, what we've done to prevent recurrence.

Compliance & certifications

Symphonia is built to map to common frameworks (SOC 2 controls, GDPR data-subject rights, IRS Publication 1771 substantiation requirements). We are pursuing SOC 2 Type II audit; status is published at docs/compliance.

Vulnerability reporting

Found a security issue? Email security@ancientdesign.org. PGP key available at /.well-known/security.txt. We respond within one business day; for critical issues, we typically patch within 48 hours.