Our commitment to protecting our platform, our partners, and our data.
Our platform is built around a secure API gateway that serves as a single, protected point of entry for all data. This architecture prevents direct access to our backend infrastructure, ensuring every request is authenticated and authorized before processing.
All access to the Global.Church API requires a valid API key. Unauthenticated or anonymous requests are rejected, ensuring that only verified partners can interact with our data services.
To minimize the risk of compromised credentials, we employ a fully automated API key rotation system. Keys are programmatically rolled based on a defined lifecycle (e.g., every 90 days) with a configurable overlap window, ensuring zero-downtime security updates for our partners.
Our API gateway securely manages and injects credentials for our backend services (Supabase). Partner API keys are used only for gateway access; they do not grant direct access to our database, and backend credentials are never exposed to the client.
To protect our services from abuse and ensure high availability for all partners, we implement dynamic, per-key rate limiting. Each partner is allocated a specific request quota per minute, tailored to their service plan, preventing any single consumer from impacting the platform's stability.
API access and partner configurations are managed declaratively through a version-controlled, GitOps workflow. This process ensures that all changes to access policies and rate limits are reviewed, audited, and deployed systematically, providing a transparent and secure management lifecycle.
At Global.Church, we are deeply committed to maintaining the trust and confidence of our partners and users. Our privacy policy outlines our practices concerning data collection, use, and protection.
The Global.Church API exclusively serves public information about church organizations, such as names, addresses, service times, and websites. We do not collect, store, or process any Personal Identifiable Information (PII) of our partners' end-users through our API.
To provide and manage API access, we securely store the necessary contact and organizational information for our registered partners. This information is used solely for service administration, communication, and billing purposes. We do not sell or share our partners' information with third parties.
When you visit our developer portal or website, we may use cookies or analytics tools to understand site traffic and improve our services. This data is aggregated and does not personally identify you. Any information submitted through our contact forms is used exclusively to respond to your inquiries.
We enforce a strict Cross-Origin Resource Sharing (CORS) policy to ensure that our API can only be accessed from authorized web domains. This prevents malicious actors from making unauthorized client-side requests to our services.
If you have any questions about our security or privacy practices, please submit feedback through our feedback form.