If you have ever paused before typing a member's phone number into a piece of church software, you were right to pause. Contact information is an enormous trust to hold. Our job, as the people building this platform, is to make sure that trust is never misplaced.
What gets encrypted
Personally identifiable fields on the member record β names, email, phone, address, emergency contact, physician name, pastoral notes, prayer items β are encrypted at rest as they are written. You do not toggle this. It happens automatically.
That means if a database dump were somehow obtained by a party who should not have it, those fields would not be readable. The raw data only decrypts when an authorised request comes through the application with valid credentials and tenant context.
What the data explorer does not include
The pivot-table data explorer intentionally excludes the most sensitive fields from its dataset. Pastoral notes, prayer requests, prayer focus, testimony, physician name, and emergency contact details are not in the explorer's row output β even if you have permission to see them in the member form.
Why the difference? Pivot tables are designed to be exported. A CSV of 10,000 members can end up in email attachments, shared drives, personal laptops. We made a deliberate choice: the explorer is for demographics and ministry analytics, not for pastoral data that should never leave the person it belongs to.
What this means for your team
You can hand the Explore Data tool to a ministry coordinator with members:view and know that sensitive fields are not in the export path. You can let campus admins run imports and know that PII is encrypted the moment it lands.
Security is not a thing our engineers add later. It is a default. That is the baseline every church deserves.
