Echo is built with the same security standards expected of healthcare and financial applications. Because your members' personal information and prayer requests deserve nothing less.
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. This applies to your database (Supabase PostgreSQL), file storage (Supabase Storage), and every API connection between Echo and third-party services.
Passwords are hashed with bcrypt — they are never stored or transmitted in plain text.
Five distinct roles (Owner, Admin, Editor, Reviewer, Viewer) control exactly what each team member can see and do. Permissions are enforced on every API route — not just in the UI. Even if someone bookmarks a URL, they can’t access data beyond their role.
No public signup on your organization’s instance. New team members must be invited by an Admin or Owner. Invitations include a pre-assigned role and expire after 7 days. This prevents unauthorized access and keeps your member data private.
Every account requires a verified email address. Users who haven’t verified see a persistent banner and can request a new verification email at any time. This ensures that account recovery and notifications reach the right person.
Enterprise plans support OIDC/SSO integration with identity providers like Authentik, Okta, Azure AD, and Google Workspace. This lets large churches and denominations use their existing identity infrastructure — single sign-on, centralized user management, and automatic deprovisioning when staff leave.
Every significant action is logged: who created a card, who reviewed it, who changed a setting, when integrations fired, and what data was synced. The activity log is timestamped and user-attributed, giving you a complete chain of custody for sensitive data like prayer requests and personal decisions.
Echo runs on Vercel’s global edge network with Supabase (built on AWS) for database and storage. Both platforms maintain SOC 2 Type II compliance, regular security audits, and automatic backups.
For organizations with strict data residency requirements, the Enterprise plan includes self-hosted deployment via Docker — your data never leaves your own infrastructure.
All outbound webhooks are signed with HMAC-SHA256 using your secret key. Receiving systems can verify that payloads originated from Echo and were not modified in transit. This prevents spoofed data from entering your CRM or other connected systems.
Start free with 50 cards per month. No credit card required.