Security & Reliability
Effective Date: 3 June 2026 Last Updated: 3 June 2026
This page explains how Injil AI hosts, protects, backs up, and monitors the Steward service. It is written for Church Customers (and their advisors) evaluating Steward. Steward is operated by Injil AI; the Church Customer is the data controller for its members' personal information and Injil AI acts as a data processor on its behalf (see our Privacy Policy and Terms of Service).
1. Hosting & Data Residency
- Steward runs on DigitalOcean infrastructure in the Sydney (SYD1) region. Your data is stored and processed in Australia.
- The application, database, and supporting services run in isolated containers on a managed virtual private server, behind a reverse proxy that terminates TLS.
- Off-site backups are stored in DigitalOcean Spaces in Sydney, so backup copies also remain in Australia.
2. Encryption & Network Security
- In transit: all traffic between your devices and Steward is encrypted with HTTPS/TLS. Certificates are issued and renewed automatically (Let's Encrypt).
- Internal isolation: the database and cache run on a private network that is not exposed to the public internet — only the application can reach them.
- Secrets: application secrets and credentials are held in server-side configuration, never committed to source control or shipped to client apps.
3. Access & Account Security
- Passwords are never stored in plain text — only as a salted bcrypt hash.
- Authentication uses short-lived access tokens with separate refresh tokens; tokens are kept in secure storage on mobile devices.
- Role-based access limits what each user can see and do (member, admin, and ministry-specific roles such as children's check-in).
- Per-church data isolation: Steward is multi-tenant, and each church's data is scoped to that church so one church cannot see another's members, attendance, or content.
4. Availability & Monitoring
- We aim for high availability and monitor uptime continuously. Live and historical status is published at https://status.injil-ai.com.
- Our monitoring checks a deep health endpoint that verifies the database is reachable — so the status page reflects real service availability, not merely whether a process is running. An outage automatically raises an alert to our team.
- We do not currently offer a contractual uptime guarantee (SLA). Steward is a young product on a single-region deployment; we are transparent about this rather than promise a figure we don't yet engineer for. See the Terms of Service for the formal availability terms.
5. Backups & Disaster Recovery
- The database is backed up daily, automatically.
- Each backup is copied off-site to DigitalOcean Spaces (Sydney) and retained on a rolling schedule.
- Backups are not write-once trophies: we rehearse restores on a recurring basis, restoring a recent backup into a throwaway database and verifying it, so we know recovery actually works.
- Deployments are immutable and roll back to a previous known-good version quickly if a release misbehaves.
6. Sub-processors
We rely on a small set of reputable providers to deliver Steward:
| Provider | Purpose |
|---|---|
| DigitalOcean | Hosting (compute, database, off-site backup storage) — Sydney, Australia |
| Zoho | Transactional email (password resets, notifications) — Australia |
| Expo | Mobile push-notification delivery — United States |
We will update this list as our infrastructure evolves.
7. Reporting a Security Concern
If you believe you've found a security vulnerability or have a security question, please email infosec@injil-ai.com. We take reports seriously and will respond promptly.
This page describes our current practices and will be updated as Steward grows (for example, as we add redundancy, a formal SLA, or a Data Processing Agreement for customers who require one).