The honest version.

• Managed Postgres on Amazon Web Services (US-East). Daily snapshots, point-in-time recovery enabled, encrypted at rest with AWS-managed keys.
• Files (logos, exports, avatars) live in S3 with bucket-level encryption.
• Application logs are retained for 30 days for debugging and security review, then purged.

• TLS 1.2+ for every request between you, our API, and our database.
• All third-party calls (Stripe, Planning Center, SES) happen over TLS with mutual certificate verification.
• We do not transfer data outside the US except to deliver email or load common static assets.

• Passwordless login via 6-digit codes emailed to verified addresses. Codes expire in 10 minutes and are single-use.
• Session tokens are short-lived JWTs scoped to a single church. No long-lived refresh tokens.
• Every state-changing API call goes through a typed authorization middleware that checks church scope + role before reading or writing.

• Volunteer responses are visible only to staff users with access to that volunteer’s team. We don’t expose anyone’s data to anyone else’s church.
• Downline scoping is enforced server-side, not in the UI — a curl request can’t fetch teams a user isn’t cleared for.
• Every admin action (delete, merge, role change) is recorded in an audit log scoped to your church.

• Cancel anytime, in your Settings. You can export every piece of data first — people, touches, notes, responses, audit log — via CSV.
• On cancellation, your church is soft-deleted and held for 30 days in case you change your mind. After that, it’s purged from primary storage.
• Backups age out after an additional 30 days. We do not retain canceled data.

We don’t pretend to be more than we are. Here’s what we’re honest about not having:

• SOC 2. We’re a small team, and SOC 2 Type II is a real investment. We’ll begin the process when our customer base demands it; until then, we follow the spirit of the controls without the audit.
• HIPAA. Pulsily is not built for HIPAA-regulated workflows. Prayer requests are sensitive but not PHI in the regulatory sense; if your church needs to process protected health information, please use a HIPAA-covered tool.
• SSO / SAML / SCIM. Promised on Multi tier, available on request today. Not yet a self-serve toggle.
• Penetration test. We’ll schedule one before we accept our first 1,000-ATT customer. The results will be available on request to enterprise accounts.

We notify affected churches by email within 72 hours of discovering a breach of their data. We’ll tell you what happened, what data was involved, what we’ve done, and what you need to do.

If you find a vulnerability, please write us at our contact form. We don’t run a paid bug bounty yet, but we will credit you publicly (if you want) and we’ll respond inside two business days.