BUILT / for the house
Free mockup

Journal 7 min

A safe skin over Planning Center

Why the safest church website is the one that never touches money or member data.

The safest church website is the one that holds the least. That isn’t a marketing line — it’s a security principle. It’s the architectural posture we picked deliberately, and it shapes every decision we make.

We call it a safe skin over Planning Center.

The model

Visitors land on the studio-built site. It’s fast, static, served from Cloudflare’s edge. Page copy and sermon text live in Sanity — a CMS where nothing sensitive ever goes. Photos come from a per-church image library, owned by the church.

When someone wants to give, they hit a button that links or iframes to {church}.churchcenter.com/giving. Payment runs on Planning Center Giving → Stripe (PCI-DSS Level 1). The card number never touches our DOM, our network, our logs, or our memory. We cannot leak what we cannot see.

When someone wants to register for an event or fill out a connect card, the form either lives in Church Center or posts directly to Planning Center via a write-through function that persists and logs nothing. Member data is in PCO, where the church already trusted it.

When someone wants to find a sermon, our Cloudflare Function reads from Planning Center Publishing using a per-tenant OAuth refresh token, scoped to calendar and publishing only — never giving, never people. The function holds nothing on disk, returns only what’s needed, and re-authenticates through the church’s own access controls.

That’s the whole picture. Money on PCO. PII on PCO. We are the presentation layer.

What this means for blast radius

If we got breached tomorrow — every server, every function, every backup — what would the attacker get?

  • Page copy and sermon text from Sanity (public anyway).
  • Per-tenant OAuth refresh tokens, each encrypted with a distinct key in Cloudflare’s Secrets Store. One leaked ciphertext doesn’t decrypt another church’s.
  • The image library (public anyway).

That’s the worst case. No card numbers. No giving history. No membership directory. No prayer requests. No phone numbers. No emails beyond a contact address.

Compare that to a bundled platform where the same vendor holds the website and the giving history and the member directory and the messaging app. A breach there is a different category of bad day.

What this means for the studio

It means we say “no” to certain features. We won’t store member data, even if it would make a feature easier. We won’t hold a giving scope, even for read-only convenience. We won’t accept a Personal Access Token from a church, even if it would speed up onboarding — they’re too powerful, too easy to leak, and they don’t scope down properly.

It means our security checklist is short, because there’s less to defend. It means we publish it on request, and we welcome outside red-teams to break it.

It means if we ever can’t be a safe skin for a particular feature, we redirect. We send the user to Church Center, where the church’s existing security controls handle it.

What this means for the church

Two practical things.

First, your data sovereignty doesn’t change when you hire us. You already trust Planning Center with your money and your members. We don’t add a second vendor with the same data. We add a presentation layer over the vendor you’ve already vetted.

Second, you can fire us in two clicks. Revoke us from your Planning Center side, and we lose access. Move your DNS, and your domain goes wherever you want. Export your Sanity content, and you’ve got your copy. The site is yours. We’re the studio that built it.

That’s what we mean by safe. Not “trust us.” Don’t have to.