Trust & Infrastructure

Security at Wethr

Your congregation's data is sensitive. We've designed Wethr from the ground up with security as a first-class requirement — not an afterthought. Here's exactly how we protect it.

Defense in depth
US-based infrastructure
72-hour incident notification
Isolated by design.
Each church's data is structurally separated — not just by application logic, but enforced at the database level.
Encrypted end to end.
All data is encrypted in transit with TLS 1.2+ and encrypted at rest with AES-256.
Minimum access, always.
Every role — staff, leader, or volunteer — sees only what they need. Nothing more.
1

Overview

Wethr is built on a fully managed, serverless infrastructure stack. There are no servers for us to patch, no operating systems to maintain, and no hardware to secure. Every component is a managed service from a provider with its own security certifications and SLAs.

This document explains how each layer of the stack is secured, how church data is isolated from other churches, how access is controlled, and what happens when something goes wrong. We publish this so your church's leadership can make an informed decision about trusting Wethr with your congregation's data.

Security is a shared responsibility

Wethr secures the platform and the infrastructure beneath it. Your church is responsible for managing who has access to your Wethr account, keeping credentials secure, and using the permission system appropriately. Both sides of that contract matter.

2

Infrastructure

Wethr runs on a fully serverless stack, distributed across industry-leading managed providers. Each provider is responsible for the physical and network security of the underlying hardware. Wethr is responsible for how we configure and use those services.

Vercel Application hosting · Next.js · API routes · Edge Middleware · Subdomain routing
Supabase PostgreSQL database · Authentication · Row Level Security · Realtime subscriptions
Cloudflare R2 File storage · Zero egress · Presigned URL access · No direct public exposure
Inngest Background jobs · Schedule notifications · Event-driven workflows · Durable execution
Provider Role Security posture
Vercel App Hosts the Next.js application, API routes, and edge middleware SOC 2 Type II certified. DDoS protection at the edge. Automatic HTTPS enforcement. Isolated deployment environments per branch.
Supabase DB + Auth PostgreSQL database, authentication service, and realtime layer SOC 2 Type II certified. Data hosted on AWS us-east-1. Encryption at rest (AES-256). Row Level Security enforced at the Postgres level. MFA on all Supabase dashboard access.
Cloudflare R2 Files Stores all user-uploaded files — PDFs, images, documents, audio Cloudflare's global network with DDoS mitigation. Files are never publicly accessible — all access is via time-limited presigned URLs generated by the Wethr API. Zero direct public bucket access.
Inngest Jobs Background job processing for notifications, reminders, and scheduled tasks Event payloads are encrypted in transit. Job execution is scoped per church. Failure states are logged and alertable.

All infrastructure is hosted in US-based data centers. Data does not leave US jurisdiction under normal operation.

3

Data Isolation

Every church in Wethr is a completely isolated tenant. One church can never access another church's data — not through the application, and not through the database. This isolation is enforced at two independent layers.

Layer 1 — Application (tRPC middleware)

Every authenticated request resolves the caller's church_id from their verified session JWT — never from user input. All API procedures receive this church_id from the request context and inject it as an explicit filter into every database query. It is architecturally impossible for a user with a valid session for Church A to query Church B's data — the wrong church_id would return no results.

Layer 2 — Database (Row Level Security)

Supabase Row Level Security (RLS) policies are enabled on every table in the Wethr database. RLS enforces church_id scoping at the PostgreSQL level. Even if a bug in the application layer were to omit a church_id filter, the database would return only records matching the authenticated user's church. The application layer is the primary enforcement point; RLS is the backstop.

Two independent enforcement layers

The application layer and RLS enforce isolation independently. Both would need to fail simultaneously for a cross-church data leak to occur. This defense-in-depth approach means a single bug cannot breach tenant isolation.

Subdomain isolation

Every church accesses Wethr via their own subdomain — for example, gracechurch.wethr.co. Vercel Edge Middleware intercepts every request before it reaches the application and resolves the subdomain to a specific church context. A valid session for Church A cannot be used to authenticate at Church B's subdomain — the session is rejected and the user is shown Church B's login screen.

4

Encryption

All data in Wethr is protected by encryption at every stage — in transit between the browser and our servers, and at rest in our database and file storage.

Context Standard Details
Data in transit TLS 1.2+ All traffic between the browser and Wethr is encrypted via HTTPS. TLS 1.0 and 1.1 are disabled. HTTP requests are redirected to HTTPS automatically. Valid SSL certificates are managed and auto-renewed by Vercel and Cloudflare.
Database at rest AES-256 The PostgreSQL database hosted on Supabase (AWS us-east-1) encrypts all data at rest using AES-256. This includes all church, member, schedule, and communication data.
File storage at rest AES-256 Files stored in Cloudflare R2 are encrypted at rest. Uploaded files are stored in a private bucket and are only accessible via time-limited presigned URLs — not through any public URL.
Authentication tokens JWT + RS256 Session tokens are signed JWTs using RS256 (asymmetric signing). Tokens are short-lived and scoped to a specific church. Token verification does not require a database lookup on every request.
Passwords N/A — passwordless Wethr uses a passwordless OTP authentication model. There are no stored passwords to compromise. Authentication codes are single-use and expire after 24 hours.
5

Authentication

Wethr uses a passwordless, email-based OTP (one-time passcode) authentication model. There are no passwords stored anywhere in our system — which eliminates an entire category of credential-based attacks.

No passwords
Eliminates credential stuffing, brute-force, and password reuse attacks entirely.
Single-use codes
OTP codes are valid for one use only and expire after 24 hours. Intercepted codes cannot be reused.
Rate-limited attempts
OTP entry is limited to 5 attempts per code. Too many failures lock the code and require requesting a new one.
Short-lived sessions
Session JWTs are scoped to a specific church and expire automatically. "Remember me" tokens are stored as secure, HttpOnly cookies.
Instant deactivation
Admins can deactivate a user immediately. Active sessions are blocked on the next request — no waiting for token expiry.
Invite-only access
Users cannot self-register. Access to your Wethr account requires an explicit invitation from an admin within your church.
Authentication is powered by Supabase Auth

Wethr's authentication layer is built on Supabase Auth, which is purpose-built for secure, production-grade authentication. It handles OTP generation, token signing, and session management — we don't implement these primitives ourselves.

6

Access Control

Wethr uses a five-tier role-based access control (RBAC) model. Every user is assigned one or more roles, and every API endpoint enforces the minimum role required to access it. Role resolution happens fresh on every request — there is no stale permission state cached in a JWT.

Super Admin
Full access to all data, settings, and users across the church account. Can manage billing and grant or revoke all other roles.
Staff / Admin
Full operational access to all data and features. Cannot modify system-level settings or manage Super Admin accounts.
Ministry Leader
Full access to their assigned team(s) and groups. Read-only access to the directory (name and photo for all; full contact info for their team members only).
Volunteer
View their own schedule, set preferences and blackout dates, and manage their own profile. Cannot access any other user's data or team management tools.
Member
View and edit their own directory profile. Browse publicly visible small group information. No access to scheduling, teams, or operational data.

Enforcement

Role enforcement is implemented at the tRPC API layer using procedure middleware. Every API endpoint is annotated with its minimum required role. If a user's resolved role does not meet the requirement, the endpoint returns an UNAUTHORIZED error before any business logic executes. Role changes take effect immediately on the user's next request — no re-login required.

Leader scoping goes deeper

Ministry Leaders are not just role-restricted — they are team-scoped. A leader can only manage the specific teams they have been assigned to. If they attempt to access another team via the API, a secondary check returns a FORBIDDEN error regardless of their role level.

7

File Storage

User-uploaded files — PDFs, images, documents, chord charts, and audio — are stored in Cloudflare R2. The bucket is fully private. No file is ever accessible via a direct public URL.

Access pattern

All file access (both upload and download) uses short-lived presigned URLs generated by the Wethr API:

Step Who What happens
1. Request URL Browser → Wethr API The client requests an upload or download URL. The API validates the user's role and church membership before proceeding.
2. Generate presigned URL Wethr API → Cloudflare R2 A time-limited (15-minute) presigned URL is generated server-side and returned to the client. The URL is scoped to a specific file key.
3. Transfer directly Browser → Cloudflare R2 The client uploads or downloads directly to/from R2. File data never passes through Wethr's application servers, reducing exposure.

Files are organized in a per-church bucket structure. The Wethr API validates church membership and role before generating any presigned URL — ensuring that users can only access files belonging to their own church and within their permission scope.

8

Backups & Recovery

Wethr's database is backed up automatically on a continuous basis. Our recovery capabilities ensure that data loss from any incident can be minimized and resolved quickly.

Capability Specification
Daily automated backups The production Supabase database is backed up daily with a 7-day retention window. Backups are stored in a separate AWS region from the primary database.
Point-in-time recovery (PITR) PITR is enabled on the production database, allowing restoration to any second within the retention window. This protects against accidental data deletion or corruption.
Staging environment A fully separate staging environment mirrors the production configuration. Migrations and changes are validated in staging before reaching production.
Migration process Database schema changes are versioned via Prisma Migrate. Production migrations are applied manually by an engineer before deploying the corresponding application code, ensuring schema and application are always in sync.
File storage durability Cloudflare R2 provides 99.999999999% (11 nines) object durability through redundant storage across multiple locations.
You can export your own data at any time

Backup infrastructure protects against infrastructure-level failures. For your own peace of mind, church admins can export a full copy of their directory, service history, and team data from Wethr's admin settings at any time — no request required.

9

Wethr Team Access

We take a strict minimum-access approach to our own team's access to customer data.

Policy Details
Need-to-know only Wethr engineers and support staff can access customer data only when explicitly required to resolve a support issue, and only when that access has been requested or approved by the church's account administrator.
MFA required All Wethr team members with access to production systems are required to use multi-factor authentication on all accounts (Supabase dashboard, Vercel, Cloudflare, and internal tools).
No production access for non-engineers Access to production infrastructure is limited to engineers. Support and customer-facing staff interact with a separate admin tooling layer that does not have direct database access.
Access logging All access to production systems is logged. Logs are retained for 90 days and reviewed periodically for anomalous activity.
No third-party data sharing Wethr does not share church or member data with any third party except as required to operate the service (email delivery, SMS delivery, payment processing) — all of which are governed by data processing agreements.
10

Incident Response

We maintain a documented incident response process. When a security incident is detected — whether by our monitoring systems, a third-party report, or internal discovery — we follow a structured response protocol.

Immediately
Detection & Containment
The incident is escalated to the engineering team. The affected system or data path is isolated or taken offline as necessary to prevent further impact.
Within 24 hours
Assessment
We assess the scope of the incident — what data was affected, which churches are involved, and whether the incident constitutes a reportable breach under applicable law.
Within 72 hours
Customer Notification
If church data was affected, we notify the account administrator(s) of all affected churches within 72 hours of confirming the breach. Notification includes what happened, what data was involved, and what we've done to contain it.
Ongoing
Remediation & Review
The root cause is identified and remediated. A post-mortem is conducted. Findings are used to improve our security posture and prevent recurrence.
Infrastructure provider incidents

For incidents originating from our infrastructure providers (Supabase, Vercel, Cloudflare), we will communicate the provider's status and our own impact assessment to affected churches. Provider status pages are publicly accessible and we will reference them directly in communications.

11

Responsible Disclosure

We welcome security researchers and community members who identify potential vulnerabilities in Wethr. If you believe you've found a security issue, please report it to us before disclosing it publicly — we will work with you to investigate and resolve it promptly.

How to report a vulnerability
1
Email us directly
Send a detailed report to security@wethr.co. Include a description of the vulnerability, steps to reproduce, and the potential impact you've assessed.
2
We respond within 48 hours
We will acknowledge your report and provide an initial assessment. We will keep you updated as we investigate and remediate.
3
We ask for coordinated disclosure
Please give us reasonable time to patch before public disclosure. We will work with you on timing and are happy to acknowledge your contribution when the fix is released.

We do not take legal action against researchers who act in good faith, follow responsible disclosure practices, and do not access, modify, or exfiltrate customer data in the course of their research.

12

Your Role in Security

Platform security is a partnership. Wethr secures the infrastructure — but your church's administrators play an essential role in protecting your account from the inside.

Your responsibility Why it matters
Keep OTP codes private Login codes are single-use and sent to individual email addresses. Never share a code with another person — treat it like a password.
Use a secure email account Since Wethr sends login codes by email, the security of your Wethr account depends on the security of the email address it's linked to. Use strong passwords and MFA on your email provider.
Assign roles carefully Grant the minimum role necessary. Not every staff member needs Super Admin access — use Staff/Admin, Leader, or Volunteer roles where appropriate.
Deactivate departing users promptly When a volunteer, leader, or staff member leaves your church, deactivate their Wethr account immediately from Settings > Users. Deactivation takes effect on the next request — there is no delay.
Review active users periodically Review your user list at least once a year to ensure that everyone with access still needs it. Remove accounts that are no longer in use.
Report suspicious activity If you notice unexpected logins, unusual data changes, or anything that looks wrong, contact us immediately at security@wethr.co.
Questions? We're here to help.

If your church has specific security requirements, compliance questions, or needs a security review before adopting Wethr, reach out to security@wethr.co. We are happy to answer detailed questions and work with your leadership team directly.