Security

Floways uses one PostgreSQL database per church - not a shared database with a tenant ID column. There is no shared “members” table containing rows for multiple churches. A bug, an SQL injection vulnerability, or a compromised credential in one church's tenant cannot reach another church's data, because the connection is to a different database entirely.

This is unusual in church management software, and it's deliberate.

• Multi-Factor Authentication (MFA) is supported via three methods: authenticator app (TOTP), SMS one-time code, and Email one-time code. We strongly recommend TOTP - the most secure of the three - for any account with admin or financial access.
• Passwords are never stored in plain text. We use industry-standard hashing.
• Session tokens expire automatically after inactivity.
• Role-based access control with granular per-module permissions, scoped to the organisational hierarchy (“Spaces”) inside the platform.
• The Church Super Admin role is protected and cannot be deleted.
• All API endpoints require authentication by default. Permissions are enforced at the application layer, not just the user interface.

All AI inference in Floways runs server-side within our backend boundary in Sydney. Your data is never sent to an AI provider in a way that allows the provider to retain it or use it to train models.

We do not train AI models on your data. We do not opt into any AI provider's training programme. AI features can be disabled at the module or organisation level if your church prefers.

AI API keys are stored in secure secret management and are never accessible from a browser, a frontend bundle, or an end user.

Floways does not store raw card numbers, CVVs, or bank account credentials at any point. All payment processing is handled by PCI-DSS Level 1 compliant processors - the highest tier, audited annually. Card details are entered via the processor's secure tokenisation widget; Floways stores only a token reference, the last four digits, and the card brand.

This places Floways' direct PCI-DSS scope at SAQ-A - the lightest tier - by design.

• All code changes are peer-reviewed before deployment.
• Architectural changes require written review and sign-off by our Senior Systems Architect.
• Automated dependency scanning, secret scanning, and security analysis run as part of our deployment pipeline.
• Production access is limited to a small number of named engineers under MFA.

In the event of a security incident affecting your data:

• We will notify affected customers promptly, and in any event no later than 24 hours after we confirm the incident.
• The notification will include the nature of the incident, what data was affected, and the steps we are taking.
• We comply with mandatory data breach notification requirements under the Privacy Act 1988 (Cth) and the Notifiable Data Breaches scheme.
• We notify the Office of the Australian Information Commissioner (OAIC) where the law requires, within statutory timeframes.

To report a security issue, contact security@floways.co.

Your data is yours. You can export it at any time as JSON or CSV - at no charge.

On termination, your data is retained in read-only state for 90 days, with notifications at the 30-day and 7-day marks before permanent and irreversible deletion. See our Privacy Policy for full details.

We share data only with service providers necessary to operate Floways - cloud hosting, payment processing, email and SMS delivery, AI inference, and error monitoring. Each provider is contractually bound to security and confidentiality standards equivalent to ours. The categories are listed in our Privacy Policy. The named-vendor register is available on request.

Security is a shared responsibility. We recommend:

• Enabling MFA on all Floways user accounts (TOTP preferred)
• Using strong, unique passwords
• Reviewing user access regularly and removing accounts for staff who have left
• Contacting us immediately at security@floways.co if you suspect unauthorised access

If your church or denomination requires a security questionnaire response or a deeper review, we have a Security, Data Handling & Breach Response Framework - the document our engineering team operates against - available under NDA. Email security@floways.co.