Separate church workspaces
Server-side authorization limits records and actions to the signed-in user’s church membership and permitted role.
Least-privilege access
Owners, administrators, editors, users, platform support, and the platform owner have distinct responsibilities and controls.
Traceable operations
Important inventory, account, support, and platform changes create audit records to help diagnose mistakes and investigate concerns.
Current safeguards
- HTTPS-secured connections for the public site and application.
- Supabase-based authentication and private password handling.
- Server-enforced church, role, cost, department, export, and deletion permissions.
- Cloudflare-hosted application, database, and file infrastructure.
- Protected file and logo access tied to church membership.
- Automatic browser-error reporting without form values or passwords.
- Support and quality-gate tools restricted from ordinary subscriber accounts.
- Export and recovery controls for authorized church administrators.
Report a vulnerability
Email security@getstewardex.com with a clear description, affected page, reproduction steps, and potential impact. Do not include real passwords or unnecessary church records.
- Do not access or alter another church’s information.
- Do not use automated attacks, denial-of-service testing, social engineering, or destructive techniques.
- Stop if you encounter personal or confidential information and report it promptly.
- Allow Stewardex reasonable time to investigate and correct a confirmed issue before public disclosure.
Security incidents
Stewardex will investigate credible reports, preserve relevant records, contain confirmed issues, and notify affected parties when required by applicable law. Security questions from church account owners may also be submitted through the signed-in Support area.