Breeze Security/SSL

We're so glad that you're asking questions related to the security of the data stored within Breeze. This is a question you should be asking – after all you owe it to the people connected to your church to ensure their personal data is protected. We’ve put this article together to outline the measures we take to ensure the security of your data.

Encrypted Connections

Breeze uses an HTTPS SSL encrypted connection in a PCI compliant datacenter for data sent back and forth. This is the same standard used for transferring credit card data. This protects against malicious actions such as “man-in-the-middle” attacks where an individual attempts to intercept the message. An encrypted connection means that only the correct recipient is able to read the data.

Daily Back Ups

We back up the database every 24 hours in multiple geographical locations. Our back ups also allow us to restore your database if you or another individual accidentally deletes data that should have been retained. We also back up the filesystem every 24 hours which creates a back up of all content as well as a redundant database backup.

Routine Testing

We want to be sure your data is safe - both on a server level and on an application level. To aid in this effort, Breeze routinely undergoes penetration testing to help keep your data safe.

User Accounts & Permissions

You’re able to create multiple user accounts, each having their own set of permissions so that each user only has access to what he or she should have access to. Common scenarios for this are restricting the majority of staff from seeing contribution information or preventing certain users from adding or deleting people. All user accounts also have a password that’s needed to log in. If you’re interested in more details on how these permissions work, check out our video on users and roles.

Automatic Log Out

Administrators can also determine if a user should be automatically logged out after a certain amount of inactivity. Different users can have different settings so that if desired, users with access to more sensitive data can be logged out sooner than those with fewer privileges. If you’re interested in more details on how these permissions work, check out our video on users and roles.

Store Data on your Own Computer

Some churches like the peace of mind in knowing their data is backed up locally on their own computer. Breeze allows you to export key data into Excel files whenever you’d like (here's instructions on how to export this). Additionally, we assume no one likes to feel trapped and so if for some reason you find you need to switch from Breeze to something else (which we hope you won’t :)), this makes it easy to pack up your data and take it elsewhere.

Online Giving Security

Credit card data is extremely sensitive and we work hard to ensure it is stored securely. In fact, we don't even store full card numbers on our servers nor do we have access to them. Instead, that data is securely stored by our payment processor (Stripe) as they specialize in areas like this. Stripe is one of the industry leaders in online payment processing and you can read more on their security here.

 If you choose to embed a Breeze Online Giving form in your website we recommend you get an SSL Certification on your website. Your church website acts as another layer in which malicious users can try to intercept personal data and the encrypted connection means that only the correct recipient is able to read the data. Check with your domain name registrar to see if they have digital certification available for purchase or go through a reliable SSL certificate authority to secure your church website today.


We’re big fans of focusing on what we do well (software) and letting others focus on what they do well (hardware). As a result we use an extremely high quality commercial datacenter for reliable security and speed. Datacenters are given a Tier 1 - 4 rating, with 1 being the lowest/worst rating and 4 being the highest/best. 

Breeze operates in a tier 4 datacenter. The tier breakdown is as follows:

  • Tier 1 - Availability: 99.67%, 28.8 hours of interruption/year , no redundancy
  • Tier 2 - Availability: 99.75%, 22 hours of interruption/year, partial redundancy
  • Tier 3 - Availability: 99.982%, 1.6 hours of interruption/year, redundancy N+1
  • Tier 4 - Availability: 99.995%, 0.8 hours of interruption/year, redundancy 2N+1

The datacenter is located in southern California. For those of you interested in even more specifics on the datacenter, here are a few useful links:

Note: Breeze has never experienced a security breach that has exposed client data. We definitely take extensive measures to protect the sensitive information of our organizations!

Was this article helpful?
46 out of 55 found this helpful


  • The above Datacenter Security link goes to a 404 "page not found" error.

  • Hi @cdchasdaniel!

    Thanks for the note! We have alerted Lightcrest of this error. They are aware and are in the process of updating it. It should be fixed soon. Thank you for notify us and for being patience as we all work together to get this resolved.

    Blessings and Happy Breezing!

  • Multi-Factor Authentication

    Goes without saying Breeze is brilliant, though one thing keeps me up at night... Is there any plans for MFA? Since all users of Breeze are usaully dealing with a very large amount of sensitive and private information for many people, I believe there should be a second-factor to authenticate the user. This could be a text message with a 6 digit code, integrationg with an authenticator app etc... Whatever the case, it seems that anyone, from anywhere, can login to a Breeze account as long as you have the password- not hard with a little bit of social engineering.

    Would appreciate a Breeze Security Product Owner to comment on this!

    Thanks for the great software guys!

  • Correct Link: For anyone interested the correct link (in reference to @Charles comment above) is as the one provided above, at time of posting, goes to 404 page- Lightcrest haven't directed the old URL.

  • Hey @admin,

    We are currently investigating MFA/2FA as well as other options for additional security enhancement for Breeze. We don’t have it on our current development schedule but are certainly committed to reviewing this going forward! 


  • Are there only a certain number of our users that can be logged on at the same time? My people are having trouble logging on at times and at other times, they can get right on. 

  • @Mary

    Thanks for taking a moment to reach out to the Breeze community!

    There is no limitation to how many users can log onto Breeze at one time. If you encounter any issues with access, it would be related to Internet connection or Login Credentials. 

    If you have any additional questions, please let us know!

  • I am a very new user of Breeze and love how it works but have security concerns. I established a new user today, and he received his access email (in his junk folder?) with his username and password, and this new user was truthfully horrified that his password was just sent like that, in plain text, with no encryption whatsoever, via email. The second concern from this new user was that the software should at least prompt him to immediately change his password, but that does not happen. This person has now raised security concerns about how secure our data is if the passwords are stored and sent over email in plain text. We deal with highly personal information that nobody wants hacked and stolen. I now am very concerned if I can in good conscience recommend to our church to switch over from our very outdated but at least locally stored system to Breeze. Are there any plans for higher security regarding the passwords? How secure is the database?

  • @plajer

    Great questions! Breeze certainly understands your desire to provide the safest and most secure platform available. The method of sending login credentials is the standard practice security protocol. Temporary Passwords and login access are commonly sent via this method from the largest personal information platforms. If you have additional questions on Security, perhaps this post will give you more clarity -

    We certainly appreciate the feedback here as we want our customers to understand that their information is safe and secure. 

  • Hey guys, I know this question has been asked couple times, but have you guys had any plans for MFA in the roadmap?

  • @sendjaja

    Great question! We've certainly had some inquiry from customers on this but not enough to push this into product development just yet. I believe Breeze will eventually see this added as a feature in the future! 

    We encourage you to add your voice to the Feature Request form! The more people who ask for it, the better. See here: Submitting Feature Requests


  • Hi guys. I check in every few weeks and am quite disappointed with the last response.

    Some motivation for MFA:

    It will only take one breach to ruin all the great work we do in Christ's name! Please consider pushing MFA to the top! Many users of Breeze are not thinking about MFA. Breeze is designed for small and medium churches, and to have someone with Cyber security or  IT experience isn't common- even in large churches.

    You have a responsibility to take this request seriously. This isn't a premium feature anymore, this is compulsory- especially when Churches are gathering very sensitive information about finance, pastoral notes, ages, family/children, schools, locations, numbers... This is a gold-mine waiting to be discovered by sinister agendas.

    Please don't wait for the big push from your account holders. It won't come. I am speaking on behalf of them. At least provide the option with default off, or add-in etc. Anything to make this more secure please!

  • @admin
    Thank you so much for reaching out to us. We completely understand your concern here. We want you to know that your request is being heard and we thank you for voicing your concern. Security is extremely important to us. I've also shared your notes with my Team Lead just to make sure we continue to reiterate this request. I would also suggest that you submit a Feature Request to add your voice to the chorus of this Feature: Submitting Feature Requests
  • Hello. I want to add to the chorus on Multi-Factor Authentication.  Some folks from our church recently had their church e-mail spoofed and we are concerned about this being abused for a phishing attempt, instead of the gift card scam that they received.  I recommended to leadership to enable MFA on every possible system.  Not having this as an option is something that may make some of our leadership want to look elsewhere.  I think Breeze is a great product and its intuitive design, great feature set, and reasonable price are huge benefits.  But security needs to be a top focus.  Cybercrime has been exploding the last few years and criminals have been especially active since people have bene forced to work from home.  This needs to be a high priority item.

  • @Evan

    Thank you for reaching out and voicing your concern about Multi-Factor Authentication. We absolutely understand your concern, and want you to know that your concern for Multi-Factor Authentication is heard, and taken seriously! Security is very important to us at Breeze. I will share your valid thoughts with my team lead! I also recommend that you submit a Feature Request and add your voice alongside the many people recommending this feature: Submitting Feature Requests

    Have a great day!

  • I would like to know the status of your investigation on MFA/2FA, one year later since the question was asked. Has any decision been made yet, to move forwards or not considering the sensitive information that we have in Breeze.

  • @aimee Thank you for your patience with us as we are continuing to investigate this feature. It is still not on a public facing roadmap, but are doing further research on the matter and agree that it is more secure. We recommend subscribing to our Product Updates blog to hear the latest updates on our new releases. You'll find it here:

  • Brothers and sisters in Christ. I just filled out this form requesting better login security. Please do the same. It only took about 2 minutes:

  • MFA would be great, of course, but is a major underlying change. Any chance of at least adding an automatic password expiration setting? Currently, as far as I can tell, there is no requirement in Breeze for password updates.

  • Hi Robert. Not to steal the Breeze team's thunder, but regarding your question "Any chance of at least adding an automatic password expiration setting?"... if you are an admin user, you can go to the settings Cog > Users & Roles > Roles. In each role you can set the desired time to expire password. E.g. Standard user you can go to the permission "Logout Automatically" and make it time-based, or when they close their browser.

    Hoping MFA happens soon. Was raised a couple of years ago on other threads, so hoping it's on a roadmap.

  • @admin: That is a useful feature, but only forces logout, not forcing changing the password, which is a typical security best practice.

  • Hey @robertdalesteele thanks for this suggestion, our engineering team is continuing to explore options here that will serve our churches well! Passwords can always be manually changed by an Admin, by Editing a User and when you change the password, you can select for the system to email the user their new password.

    I have personally found this is a great way to initiate individuals taking ownership and changing their own password. It can also be helpful to communicate with users that they can easily update their own password in Breeze.

    @Admin, you're not stealing any thunder, so glad to have you participate in the conversation! The Log Out Automatically is a great feature for Admin or higher level Breeze users to force them to be logged out after a set amount of time of inactivity. Admittedly, this can also be very frustrating for members, as it requires them to login each time they are accessing the app. This feature is great, however, it does not require the user to change their password, only that they log back in. 

    Thanks for all of the great conversation taking place here! Know that our team is working hard to explore options that will serve you guys, along with all of our churches well. While security is our top priority, we are also committed to the ease of accessibility that Breeze has always offered. 

  • Hi - have you got any news on the MFA?

  • Hey @sendjaja!

    Thanks for reaching out about updates regarding MFA. All of us at Breeze really appreciate your kindness and patience while we investigate implementing this feature. 

    Currently, there isn't any additional news regarding MFA. I apologize for this inconvenience. 

    I know this has been requested by a lot of members of our Breeze family, and I just want to encourage you to keep on providing your concerns to our Product team. They are aware of this request for MFA, so I hope it will become a feature in the future! You can learn more about providing feedback to our team here: Submitting Feature Requests 

    Additionally, I will make this MFA request know to my team leads and manager. I'm here to advocate on your behalf, and make sure your voice is heard! :) 

    Have a wonderful day!

  • +1 on MFA from a former InfoSec professional that managed identities for ~400,000 user accounts in the public sector. The vast majority of compromises we saw were due to social engineering, and strong MFA protects against that since the aggressor typically won't have the second factor (especially if it's something like TOTP or a UbiKey).

    It's actually rather strange that Breeze doesn't have this functionality yet (that I have found) given the sensitivity of the information and that it contains financial data that admins can see. 

    We really want to have the best protection for our congregants. Can you please prioritize this in your upcoming development sprints?

    Thank you! :)

  • Hey @russlegear,

    Thanks for chiming in here! Your voice is definitely being heard. :) 

    If you haven't already, the fastest and most effective way for our Product Team to see this is by Submitting A Feature Request. Additionally, I've already passed this info along on my end as well. 

    Thanks for your patience as we continue to improve Breeze and our security.

    Have a great day!

  • +1 for MFA support. I'm honestly shocked this still hasn't been implemented. I get that it's not a simple thing to accomplish, but it's 2021 and anything that has sensitive information really should be able to be put behind MFA. My Church members are on the older side and if something happens to where our information is breached because of a single breached password, I'll never hear the end of it, as it's my idea to go to a cloud-based ChMS...

  • Hi Josh,

    Thanks for adding your voice! I can certainly understand why this would be so important for you in this situation.

    If you haven't had a chance yet, I'd recommend Submitting A Feature Request. This is the best way for our Product Team to see the current needs of our churches and how we can better serve them in the future. I'll make a note of it as well!

    Hope you have a great weekend! 

  • Hi Alex,

    I have submitted a feature request, as I'm sure everyone who has posted above has done as well.

    What I think Breeze Product Teams are not understanding is that you can have all the SSL encryption you want, but without MFA, it's just like having a vault with 45 foot steel walls (the SSL encryption) that prevent penetration testing, but keeping the combination to the door on a sticky note stuck to the back of the picture hiding the vault. If a staff member uses a weak password or their creds are social engineered/phished out of them (often not that difficult, I would know as I had a few college projects to do just that), the bad actor is right in and there's nothing to prevent them from walking right in.

    Please, all of us Security-centered admins are basically begging you guys to implement some type of MFA.

  • Hi, just checking in about any news on the possible implementation of MFA and/or password expiration requirements. We just had our second instance in the past year of someone trying to scam church members by posing as one of the church members and emailing all of the others asking for help. The first time it happened they posed as me, the pastor. I know such events are not completely avoidable, but when they happen it would be nice to be able to rule out Breeze as the source for the scammer to have access to all our church members' emails and do this kind of socially engineered scamming.