Read This Before You Trust a New Church Management System With Your Church's Data

Jul 7, 2026

Before You Trust a New Church Management System With Your Church’s Data, Ask These Questions

Building software has never been easier.

Artificial intelligence can now help someone create a polished website, generate marketing copy, design a logo, write code and assemble what appears to be a functioning software platform in a remarkably short period of time - even as quick as a couple of days. 

That can be a good thing. New tools and new competition can produce better ideas for churches.

But it has also created a new problem: it is becoming much easier to look like an established software company without actually being one.

A professional-looking website no longer tells you very much. The product screenshots may be generated. The testimonials may be vague (or fabricated). The privacy policy may have been produced by an AI tool in minutes (or non-existent). The company may have no identifiable legal entity, no experienced support team, no established security practices and no realistic plan for operating a church management system over the long term.

That matters because a church management system is not simply another productivity app.

Your ChMS likely contains:

  • Names, addresses, phone numbers and email addresses
  • Family relationships and household information
  • Children’s information and check-in records
  • Attendance history
  • Giving and donation records
  • Volunteer schedules
  • Prayer requests
  • Pastoral care notes
  • Sensitive background-check information
  • Medical, accessibility or allergy information
  • Login credentials and communication history

In other words, a church management system can become one of the most sensitive collections of information your church possesses, and the scariest part is, your church would be liable for the protection of your members' private and personal information. 

Before handing that information to a new provider, churches need to look beyond the attractive website and ask a more important question:

Who, exactly, are we trusting?

AI Is Not the Problem. A Lack of Accountability Is.

Using AI to help build software does not automatically make a product insecure or illegitimate. Experienced developers use AI as a one of many tools to improve their productivity and efficiency.

The concern is what happens when someone who has little to no experience operating business-critical software uses AI to build something that appears complete but does not understand everything required behind the scenes.

Generating code is only one small part of running a dependable ChMS.

A responsible provider must also understand:

  • Database architecture and data integrity
  • Authentication and account security
  • Permissions and access controls
  • Encryption and secure data transmission
  • Backups and disaster recovery
  • Software updates and vulnerability management
  • Privacy laws and contractual responsibilities
  • Email and text-message compliance
  • Legal compliance (COPPA, CASTL, GDPR, etc.)
  • Incident detection and breach response
  • Customer support and staff training
  • Data exports, account closures and long-term continuity

These responsibilities do not disappear because a platform looks simple or because it was built quickly.

CISA’s secure-by-design guidance emphasizes that software manufacturers should accept responsibility for the security outcomes of their products and operate with transparency and accountability. It also encourages software customers to ask vendors about security practices, vulnerability reporting and the protections included with their products. Learn more from CISA.

The important distinction is not old software versus new software or human-written code versus AI-assisted code.

It is accountable operators versus anonymous operators.

Red Flag #1: You Cannot Determine Who Owns the Company

A legitimate software provider should clearly identify the business responsible for the service.

Look for:

  • The company’s full legal name
  • The country, state or province where it is registered
  • A business mailing address
  • Names of founders or senior leadership
  • A real support contact
  • A privacy contact or privacy officer
  • Terms of service that name the contracting legal entity

A brand name alone is not enough.

You should be able to answer a basic question: If something goes seriously wrong, who is legally responsible?

Search the appropriate federal, state or provincial corporate registry. Compare the company named in the registry with the company named in the website’s terms, invoices and privacy policy. For example, you can find Connection Card, Inc's public listing by search the Colorado Secretary of State's business search website.

Business-registration requirements vary by jurisdiction, and very small businesses are not always incorporated. That does not automatically make them illegitimate. However, a company asking churches to entrust it with thousands of personal records should be prepared to explain who operates it and under what legal structure. The U.S. Small Business Administration similarly describes business registration as the process that establishes a business as a distinct legal entity, although specific requirements vary. Learn more from the U.S. Small Business Administration.

An anonymous product with no identifiable operator is not merely a marketing concern. It is an accountability concern.

Red Flag #2: The Privacy Policy Is Missing, Generic or Does Not Match the Product

Do not simply check whether the website has a link labelled “Privacy.”

Read the policy.

AI-generated and copied privacy policies often contain obvious warning signs:

  • They name a different company or website.
  • They describe an online store instead of a ChMS.
  • They do not explain what information is collected.
  • They do not identify why information is collected.
  • They do not explain where information is stored.
  • They say nothing about service providers or subprocessors.
  • They do not explain retention or deletion.
  • They do not provide a privacy contact.
  • They contain promises that clearly do not match how the product operates.
  • They do not address whether customer data is used to train AI systems.

Canadian privacy guidance emphasizes accountability, identifiable purposes, appropriate safeguards and the need to make privacy practices readily available. It also states that organizations remain responsible for personal information transferred to third-party processors and should use contractual or other means to ensure a comparable level of protection. Review the accountability guidance from the Office of the Privacy Commissioner of Canada.

The FTC likewise advises businesses to know what personal information they possess, retain only what they need, protect it, dispose of it properly and plan for security incidents. Review the FTC’s guidance for protecting personal information.

A privacy policy does not prove that a company follows good privacy practices. But a missing, contradictory or obviously generic policy is strong evidence that privacy has not received the attention it deserves.

Red Flag #3: The Company Makes Impressive Security Claims but Provides No Details

Be cautious when a website relies on phrases such as:

  • “Bank-level security”
  • “Military-grade encryption”
  • “100% secure”
  • “Fully compliant”
  • “Your data is completely safe”

These phrases sound reassuring but often provide very little useful information.

Ask specific questions instead:

  1. Is multi-factor authentication available for administrator accounts?
  2. Can permissions be limited by role?
  3. Are sensitive actions recorded in an audit log?
  4. Is information encrypted during transmission?
  5. How are passwords stored?
  6. How often are backups created?
  7. How quickly could service be restored after a major failure?
  8. How are security vulnerabilities reported and corrected?
  9. What happens when a breach is discovered?
  10. How quickly will affected churches be notified?
  11. Are independent security assessments performed?

OWASP publishes standards and testing guidance for verifying web-application security controls. CISA also recommends that software vendors be transparent about vulnerabilities and build important protections into their products by default rather than treating security as an optional upgrade. Review the OWASP Application Security Verification Standard.

A small provider may not have every formal certification available to a large enterprise vendor. The absence of a SOC 2 report, for example, does not automatically mean a product is unsafe.

But even a small provider should be able to explain what it does, who is responsible and how it would respond to a serious incident.

“I don’t know” is sometimes an honest answer. And honesty shows character. 

Repeatedly refusing to answer is a red flag.

Red Flag #4: The Product Claims to Do Everything, Almost Immediately

Church management systems are deceptively complicated.

A feature that sounds simple on a marketing page may require years of refinement to work properly in real churches.

Consider something as ordinary as tracking a family. The system may need to account for:

  • Married couples with different last names
  • Blended families
  • Shared custody
  • Children who attend with different adults
  • Individuals who belong to more than one household
  • Restricted access to sensitive family information
  • Duplicate records
  • Deceased or inactive family members
  • Communication preferences for each person
  • Children becoming adults without losing their historical records

The same complexity exists in attendance, donations, accounting, check-ins, volunteer scheduling, workflows and communications.

A new provider may genuinely have developed a useful product. But be cautious when a newly launched platform claims to have perfectly solved every major area of church administration at once—especially when there is little documentation, few real screenshots and no evidence that churches have used those features in practice.

A long feature list demonstrates ambition. It does not demonstrate reliability.

Red Flag #5: Nobody Appears to Have Experience Serving Churches

Church software has technical requirements, but it also has ministry realities.

Does anyone operating the platform understand:

  • How church staff actually work?
  • What happens on a busy Sunday morning?
  • How carefully children’s information must be handled?
  • Why pastoral notes need restricted access?
  • How donation records must be corrected without erasing history?
  • What happens when a volunteer accidentally merges the wrong people?
  • How churches communicate consent and opt-outs?
  • Why congregational data should not be treated as a marketing list?
  • How damaging a system outage can be during check-in or an emergency?

Experience does not require a massive team or decades in business. A capable new founder may have substantial church, software or operational experience.

But the provider should be able to tell you what that experience is.

A website containing only a product name, AI-generated illustrations and generic claims such as “built for churches by people who care” is not a substitute for an identifiable, experienced team.

Red Flag #6: There Is No Clear Way to Leave

Churches often focus on how easily they can move into a ChMS. They should spend equal time asking how they can move out.

Before signing up, ask:

  • Does the church retain ownership of its data?
  • Can records be exported without paying an excessive fee?
  • What information is included in an export?
  • Are relationships, notes, attendance and giving records exportable?
  • Are uploaded files and images included?
  • Is the export provided in a documented, usable format?
  • How long is data retained after cancellation?
  • Can the church request permanent deletion?
  • What happens if the company closes unexpectedly?
  • Is there a transition period after cancellation?
  • Can the provider suspend access without allowing an export?

A provider that believes it earns your business through service should not need to hold your information hostage. If they continually prove themselves through caring customer support and innovative development powered by hearing your suggestions - they shouldn't need to worry about losing customers. 

Red Flag #7: There Are No Real References

Testimonials deserve scrutiny too.

Look for testimonials that identify:

  • The church
  • The person giving the testimonial
  • The person’s role
  • Specific ways the church uses the system

A quotation from “Pastor John, Community Church” is easy to invent and almost impossible to verify.

Ask to speak privately with two or three current customers. Ideally, speak with churches that resemble yours in size and use similar features. Granted, some legitimate companies may not be able to provide details about their customers, which is also good and shows that they protect your contact information. But, you should at least be able to discover other users through public forums or social media groups. 

Useful questions include:

  • How long have you used the platform?
  • How reliable has it been?
  • How quickly does support respond?
  • Have you encountered lost or corrupted data?
  • How well does the provider handle mistakes?
  • Have promised features actually been delivered?
  • Have prices or terms changed unexpectedly?
  • Do you trust the people operating the company?

Do not rely only on references selected by the vendor. Search independently for churches that appear to use the platform and ask about their experience.

Red Flag #8: The Provider Wants All Your Data Before Earning Your Trust

A trial should not require your church to immediately upload its complete database.

Start with:

  • Test records
  • Fictional households
  • A limited number of staff accounts
  • A small volunteer team
  • One non-sensitive workflow
  • A partial import with unnecessary fields removed

Use the trial to evaluate permissions, exports, duplicate handling, support and reliability before transferring highly sensitive information.

While we at Connection Card Pro encourage users to begin using real data during their trial period, as it's easier to wrap your mind around families and situations are you are already familiar with, we also encourage you to start slow by following the tips above. 

Avoid uploading prayer requests, pastoral notes, children’s records, donor histories or confidential documents until the church has completed its review and formally approved the provider.

A polished demonstration shows what the vendor wants you to see.

A pilot that you're in control of shows how the system actually behaves.

Questions Every Church Should Ask a ChMS Provider

Before selecting a platform, send the provider these questions in writing:

About the Company

  • What is your full legal business name?
  • Where is the business registered?
  • Who owns and operates it?
  • How long has the current team operated production software?
  • What experience does the team have working with churches?
  • Who is responsible for privacy and security?

About Your Information

  • Where is customer information hosted?
  • Which third-party providers can access or process it?
  • Is church data used to train AI models?
  • Do any AI providers retain prompts or submitted information?
  • How long is information retained?
  • How can the church export or permanently delete it?
  • Who legally owns uploaded and generated information?

About Security and Reliability

  • Is multifactor authentication available?
  • Are role-based permissions supported?
  • Are administrative actions logged?
  • How frequently are backups made?
  • What are your recovery-time and data-loss targets?
  • Do you have a written incident-response process?
  • How and when are customers notified of a breach?
  • How can a security researcher report a vulnerability?

About Continuity

  • What happens to customer data if the company is sold?
  • What happens if the company shuts down?
  • Can the church retrieve its information while an account is suspended?
  • Is there a documented export process?
  • Are support and maintenance dependent on only one person?
  • Is business or cyber-liability insurance maintained?

About Actual Experience

  • May we speak with existing churches?
  • How many organizations actively use the system?
  • How long has the oldest active customer used it?
  • Which features are currently operating in production?
  • Which advertised features are beta, experimental or planned?

Do not be embarrassed to ask detailed questions.

A responsible provider should appreciate a church that takes stewardship seriously.

New Does Not Mean Bad—and Established Does Not Mean Safe

A new ChMS may be excellent.

A small development team may be more responsive than a large corporation. AI-assisted development may allow an experienced team to produce improvements more efficiently. An established provider can also become careless, neglect security or rely on outdated technology.

Age and company size are not guarantees.

The goal is not to eliminate every new company from consideration. The goal is to distinguish between innovation with accountability and experimentation with other people’s data.

Look for evidence rather than appearances:

  • Identifiable people
  • A verifiable business
  • Clear contracts
  • Honest privacy disclosures
  • Specific security practices
  • Real customers
  • Tested backups
  • Responsive support
  • Practical church experience
  • A safe way to retrieve your information

Most importantly, pay attention to how the provider responds when you ask difficult questions.

Experienced operators generally understand why those questions matter. Inexperienced or irresponsible operators often become evasive, dismiss the risks or try to redirect the conversation back to features and pricing.

Treat Digital Records With the Same Care as Physical Records

Your church would not hand every membership record, donation statement, child check-in sheet and confidential pastoral note to an unidentified person who appeared one day with a nice brochure.

Do not make the digital equivalent of that decision simply because a website looks impressive.

Technology changes quickly. Stewardship does not.

Before trusting any church management system—including Connection Card Pro—churches should ask who operates it, how information is protected, what experience stands behind it and what will happen when something goes wrong.

A legitimate provider will not merely tell you to trust them.

They will give you reasons to.

Whether you're using Connection Card Pro or any other of the many wonderful church management systems out there, we hope this helps you make the best decision for the system that will fit your church well! 

Brought to you by Connection Card Pro
Connection Card Pro is a complete church and ministry management platform for attendance, communication, giving, bookkeeping, administration and more! Try out Connection Card Pro free for 30 days to jumpstart your ministry and administrative needs!