Holy ResourceHoly Resource
Security

Security Model

How we protect your congregation's most sensitive information.

Holy Resource uses layered controls around local ownership, branch boundaries, and least-privilege access.

Three Layers of Security

1. Local-first data ownership

Primary church data is stored on your device first. This reduces exposure to always-online infrastructure risk.

2. Role-Based Access Control (RBAC)

Permissions are enforced through branch-aware access checks and guarded actions.

  • Resource Scoping: Users are assigned to specific resources (Members, Finances, Events).
  • Action Scoping: Users are restricted to actions (Read, Write, Delete, Export, Import, Manage).

3. Sensitive-field protection + operational controls

  • Sensitive fields and credentials are protected in storage and app workflows.
  • Sync/server credentials are stored with protected handling.
  • Session, branch access, and permission checks reduce unauthorized access risk.

Encryption & Sensitive Fields

Holy Resource follows a local-first, privacy-first operating model:

  • Church data lives locally by default.
  • Sensitive fields are protected using encryption and access controls.
  • Data sharing is scoped to branch boundaries.

In Transit

For any networked communication such as sync, updates, or remote service connections:

  • use secure endpoints and trusted connection codes
  • avoid copying raw tokens into chat or email
  • rotate sync credentials when staff turnover happens

At Rest

For local and server storage:

  • sensitive fields, such as contact information and key configuration secrets, are stored with protected handling
  • enforce strict device access and operating-system account security
  • keep backup destinations access-controlled

Branch-Bound Context

Sensitive record handling is branch-aware. In practice, your operational security model should treat each branch as its own data boundary for access and review.

Operational Best Practices

  • Keep admin credentials and API keys in secret managers, not source files.
  • Do not log raw secrets, tokens, or full sensitive payloads.
  • Enforce least privilege on roles and branch access.

Privacy Guidelines

To maintain the highest security standard, we recommend:

  • Strong Admin Passwords: Protect owner/admin accounts with unique, high-entropy passwords.
  • Regular Backups: Store your exports in a secure, second location (like an encrypted external drive).
  • Physical Security: Lock your workstation when away, as local access to the machine is the most common point of failure.

Encryption Keys

Use church-owned credential management practices for admin and recovery continuity.

Return to the Welcome Page or continue to the Getting Started guide.

Last updated on

Was this helpful?

Troubleshooting

Common issues and practical fixes for Holy Resource operations.

Integrity Enforcement

What Holy Resource checks before it trusts an existing workspace, and what recovery mode means for church teams.

On this page

Three Layers of Security1. Local-first data ownership2. Role-Based Access Control (RBAC)3. Sensitive-field protection + operational controlsEncryption & Sensitive FieldsIn TransitAt RestBranch-Bound ContextOperational Best PracticesPrivacy GuidelinesRelated