Security Framework

Last updated November 24th, 2025

Your data security is our top priority. We employ industry-standard security measures, comply with international data protection regulations, and continuously monitor and improve our security posture to protect your sensitive information.

1. Overview

TAMS (Theological Administration Management System) is a secure, cloud-based platform designed to help churches and religious organizations manage their operations, members, finances, and communications. At TAMS, a platform developed and owned by Ofilix Technology, the security and confidentiality of your data and the personal information of your congregation are our highest priority.

We are committed to implementing robust physical, technical, and procedural safeguards to protect your data. This page outlines our comprehensive security framework, compliance certifications, and practices.

2. Security Framework Overview

TAMS employs a multi-layered security framework based on industry best practices and international standards:

  • Defense in Depth: Multiple layers of security controls
  • Zero Trust Architecture: Verify and authenticate all access attempts
  • Principle of Least Privilege: Users and systems only have access to what they need
  • Security by Design: Security built into every layer of the application
  • Continuous Monitoring: Ongoing security assessments and improvements

Security Standards and Frameworks

Our security practices align with:

  • ISO 27001 principles (Information Security Management)
  • OWASP Top 10 security best practices
  • NIST Cybersecurity Framework guidelines
  • CIS Controls (Center for Internet Security)
  • GDPR (General Data Protection Regulation)
  • NDPR (Nigeria Data Protection Regulation)

3. Data Protection and Encryption

Encryption in Transit

All data transmitted between your devices and TAMS servers is encrypted using industry-standard protocols:

  • TLS 1.2/1.3: All web traffic uses Transport Layer Security (TLS) encryption
  • HTTPS Only: All connections are forced to use secure HTTPS protocol
  • Certificate Management: SSL/TLS certificates are automatically renewed and managed
  • Perfect Forward Secrecy: Uses ephemeral keys to protect past communications

What this means for you: Even if someone intercepts data in transit, they cannot read it without the encryption keys.

Encryption at Rest

All data stored in our databases is encrypted:

  • Database-Level Encryption: PostgreSQL databases use encryption at rest
  • Encrypted Backups: All database backups are encrypted before storage
  • Key Management: Encryption keys are managed securely and rotated regularly
  • Field-Level Encryption: Sensitive fields (passwords, financial data) use additional encryption layers

What this means for you: Even if someone gains physical access to our storage systems, your data remains protected.

Password Security

User passwords are protected using industry-standard cryptographic methods:

  • Bcrypt Hashing: All passwords are hashed using bcrypt with 10 salt rounds
  • One-Way Encryption: Passwords cannot be reversed or decrypted
  • Salt Per Password: Each password has a unique salt, preventing rainbow table attacks
  • No Plain Text Storage: Passwords are never stored in readable format

What this means for you: Even TAMS administrators cannot see your password. If our database is compromised, attackers cannot easily recover your password.

4. Authentication and Access Control

Multi-Factor Authentication (MFA) Ready

  • JWT Token-Based Authentication: Secure, stateless authentication using JSON Web Tokens
  • Token Expiration: Tokens automatically expire and require re-authentication
  • Secure Token Storage: Tokens are stored securely and validated on every request
  • Session Management: Active sessions are tracked and can be invalidated

Role-Based Access Control (RBAC)

TAMS implements a comprehensive role-based access control system:

  • Hierarchical Roles: Roles are organized hierarchically (Super Admin → Senior Pastor → Chapter Pastor → etc.)
  • Granular Permissions: Fine-grained permissions control access to specific features
  • User-Level Permissions: Custom permissions can be assigned to individual users
  • Context-Aware Access: Access is restricted based on organizational hierarchy

Roles Include: Super Admin, Senior Pastor, Chapter HQ Pastor, Chapter Pastor, Satellite Pastor, Fellowship Pastor, Head Admin, Finance Admin, Communications Admin, Membership Admin, Events Admin, Media Admin, Members, and Workers.

What this means for you: Users can only access data and features appropriate to their role, preventing unauthorized access.

Access Control Measures

  • Authentication Required: All API endpoints require valid authentication
  • Permission Guards: Every sensitive operation checks user permissions
  • Role Guards: Access is restricted based on user roles
  • Input Validation: All user inputs are validated and sanitized
  • Rate Limiting: Protection against brute-force attacks and abuse

5. Application Security

Secure Coding Practices

Our development team follows strict secure coding standards:

  • Code Reviews: All code changes undergo peer review before deployment
  • Automated Testing: Comprehensive automated test suites catch vulnerabilities
  • Manual Testing: Additional manual testing for critical features
  • Static Code Analysis: Automated tools scan code for security vulnerabilities
  • Dependency Scanning: Regular scanning of third-party libraries for known vulnerabilities

Input Validation and Sanitization

  • Validation Pipes: All user inputs are validated using NestJS ValidationPipe
  • Whitelist Approach: Only explicitly allowed fields are accepted
  • SQL Injection Prevention: Parameterized queries prevent SQL injection attacks
  • XSS Prevention: Output encoding prevents cross-site scripting attacks
  • CSRF Protection: Cross-site request forgery protection mechanisms

API Security

  • RESTful API Design: Well-structured, secure API endpoints
  • Bearer Token Authentication: Secure token-based API authentication
  • CORS Configuration: Controlled cross-origin resource sharing
  • Request Validation: All API requests are validated before processing
  • Error Handling: Secure error messages that don't leak sensitive information

6. Infrastructure Security

Cloud Infrastructure

TAMS is hosted on secure, industry-leading cloud infrastructure:

  • Cloud Provider: Amazon Web Services (AWS) or equivalent enterprise-grade cloud
  • Data Center Security: Tier 3+ data centers with:
    • Biometric access controls
    • 24/7 physical security monitoring
    • Redundant power and network systems
    • Environmental controls (fire suppression, climate control)

Network Security

  • Firewall Protection: Multi-layer firewall protection
  • DDoS Mitigation: Protection against distributed denial-of-service attacks
  • Network Segmentation: Isolated network segments for different components
  • Intrusion Detection: Monitoring for suspicious network activity
  • VPN Access: Secure VPN for administrative access

Container Security

  • Docker Containers: Application runs in isolated containers
  • Container Scanning: Regular scanning of container images for vulnerabilities
  • Minimal Base Images: Using minimal, secure base images
  • Health Checks: Automated health monitoring and recovery
  • Resource Limits: CPU and memory limits prevent resource exhaustion attacks

Database Security

  • PostgreSQL Database: Enterprise-grade relational database
  • SSL/TLS Connections: Encrypted connections between application and database
  • Connection Pooling: Secure, managed database connection pools
  • Query Optimization: Optimized queries prevent resource exhaustion
  • Backup Encryption: All database backups are encrypted

7. Data Backup and Recovery

Backup Strategy

TAMS employs a comprehensive backup strategy:

  • Point-in-Time Backups: Regular point-in-time backups allow recovery to specific moments
  • Daily Snapshots: Daily database snapshots for quick recovery
  • Automated Backups: All backups are automated and tested regularly
  • Geographic Redundancy: Backups stored in multiple geographic locations
  • Retention Policy: Backups retained according to data retention policies

Disaster Recovery

  • Recovery Time Objective (RTO): < 4 hours
  • Recovery Point Objective (RPO): < 1 hour
  • Disaster Recovery Plan: Documented and tested disaster recovery procedures
  • Regular Testing: Disaster recovery procedures tested regularly
  • Business Continuity: Plans to ensure service continuity during incidents

What this means for you: Your data is protected against hardware failures, natural disasters, and other unforeseen events.

8. Compliance and Certifications

Data Protection Regulations

TAMS complies with international and local data protection regulations:

GDPR (General Data Protection Regulation)

  • Right to Access: You can request a copy of your data
  • Right to Rectification: You can correct inaccurate data
  • Right to Erasure: You can request deletion of your data
  • Right to Data Portability: You can export your data
  • Data Processing Agreements: Compliant data processing agreements with third parties

NDPR (Nigeria Data Protection Regulation)

  • Data Protection Officer: Designated data protection officer
  • Privacy Impact Assessments: Regular assessments of data processing activities
  • Breach Notification: Prompt notification of data breaches
  • Data Minimization: Only collecting necessary data

Payment Card Industry (PCI) Compliance

TAMS does not directly process payment card data:

  • Third-Party Processors: All payment processing handled by PCI DSS Level 1 certified providers:
    • Paystack
    • Stripe
    • Other certified local providers
  • No Card Storage: Payment card data is never stored on TAMS servers
  • Secure Redirects: Secure redirects to payment processors
  • Tokenization: Payment tokens used instead of actual card numbers

What this means for you: Your payment information is handled by industry-leading, certified payment processors, not stored on our servers.

9. Security Monitoring and Incident Response

Security Monitoring

  • Logging: Comprehensive logging of all system activities
  • Security Event Monitoring: Continuous monitoring for security events
  • Anomaly Detection: Automated detection of unusual patterns
  • Alert System: Automated alerts for security incidents
  • Audit Trails: Complete audit trails for all data access and modifications

Vulnerability Management

  • Regular Scans: Regular vulnerability scanning of systems
  • Penetration Testing: Periodic penetration testing by security professionals
  • Bug Bounty Program: Active bug bounty program for responsible disclosure
  • Patch Management: Prompt application of security patches
  • Dependency Updates: Regular updates of third-party dependencies

Incident Response

TAMS has a documented incident response plan:

  • Detection: Rapid detection of security incidents
  • Response Team: Dedicated security incident response team
  • Containment: Quick containment of security incidents
  • Investigation: Thorough investigation of security incidents
  • Notification: Prompt notification of affected customers (when required)
  • Recovery: Rapid recovery from security incidents
  • Post-Incident Review: Lessons learned and improvements

Security Contact: security@tamshq.com

10. Personnel and Organizational Security

Employee Security

  • Background Checks: All employees undergo background checks
  • Non-Disclosure Agreements: All employees sign NDAs
  • Security Training: Regular security awareness training
  • Access Controls: Employees only have access to data they need
  • Principle of Least Privilege: Minimal access rights for all employees

Security Culture

  • Security-First Mindset: Security is a priority in all decisions
  • Regular Training: Ongoing security training for all staff
  • Security Champions: Designated security champions in each team
  • Internal Audits: Regular internal security audits
  • Security Awareness: Our team understands the importance of data security because many of us use TAMS for our own church administration. We protect your data as if it were our own.

11. Third-Party Security

Vendor Management

  • Vendor Assessment: All third-party vendors are assessed for security
  • Contracts: Security requirements included in vendor contracts
  • Regular Reviews: Regular security reviews of third-party services
  • Data Processing Agreements: Compliant agreements with data processors

Third-Party Services

TAMS uses trusted, secure third-party services:

  • Cloud Hosting: Enterprise-grade cloud providers
  • Payment Processors: PCI DSS Level 1 certified payment processors
  • Email Services: Secure email service providers
  • Monitoring Tools: Security-focused monitoring and logging tools

12. Data Retention and Deletion

Data Retention Policy

  • Active Accounts: Data retained while account is active
  • Inactive Accounts: Data retained according to retention policy
  • Legal Requirements: Some data retained to comply with legal obligations
  • Financial Records: Financial records retained as required by law

Data Deletion

  • Account Deletion: Data deleted upon account termination (subject to legal requirements)
  • Secure Deletion: Data securely deleted using industry-standard methods
  • Backup Deletion: Deleted data removed from backups during backup rotation
  • Right to Erasure: You can request deletion of your data (subject to legal limitations)

For more details, see our Data Retention Policy.

13. Your Responsibilities

While TAMS implements comprehensive security measures, you also play a role in protecting your data:

Account Security

  • Strong Passwords: Use strong, unique passwords
  • Password Confidentiality: Never share your password
  • Regular Updates: Regularly update your password
  • Account Monitoring: Monitor your account for suspicious activity

Access Management

  • User Management: Regularly review and remove unnecessary user accounts
  • Permission Management: Grant only necessary permissions to users
  • Role Assignment: Assign appropriate roles to users

Data Practices

  • Data Accuracy: Keep your data accurate and up-to-date
  • Data Minimization: Only enter necessary data
  • Compliance: Ensure your data practices comply with applicable laws

14. Security Certifications and Audits

Security Audits

  • Internal Audits: Regular internal security audits
  • External Audits: Periodic external security audits
  • Penetration Testing: Regular penetration testing
  • Code Audits: Regular code security audits

Compliance Audits

  • GDPR Compliance: Regular GDPR compliance assessments
  • NDPR Compliance: Regular NDPR compliance assessments
  • Data Protection Impact Assessments: Regular DPIA assessments

15. Security Updates and Improvements

Continuous Improvement

  • Security Updates: Regular security updates and patches
  • Feature Security: Security considerations in all new features
  • Threat Intelligence: Monitoring of emerging threats
  • Best Practices: Adoption of industry best practices

Security Roadmap

  • Multi-Factor Authentication (MFA): Planned implementation
  • Advanced Threat Detection: Enhanced threat detection capabilities
  • Security Automation: Increased automation of security processes
  • Compliance Certifications: Pursuit of additional certifications

16. Questions and Support

Security Questions

If you have questions about TAMS security, please contact us:

  • 📧 Email: support@tamshq.com
  • 🌐 Website: www.tamshq.com

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

  • Responsible Disclosure: Report to security@tamshq.com
  • Bug Bounty: Eligible for our bug bounty program
  • Response Time: We commit to responding within 48 hours

Additional Resources

Conclusion

TAMS is committed to providing a secure, reliable platform for managing your church or organization. We employ industry-standard security measures, comply with international data protection regulations, and continuously improve our security posture.

Your data security is our top priority. We protect your data as if it were our own, and we're committed to transparency about our security practices.