Ministry Integrity Suite Request early access

Built for the Executive Pastor who owns the risk

Let your staff use AI.
Keep what’s confidential, confidential.

Ministry Integrity Suite is a private AI gateway for churches. Before any prompt reaches an external model, the Privacy Airlock strips names and contact details and redacts sensitive pastoral context — then routes the request through contractual zero-data-retention endpoints. The model never learns who it was about.

Request early access See how the Airlock works
  • Fail-closed by design
  • Per-user audit trail
  • SSO + Directory Sync
  • Designed for SOC 2 Type II

The risk you can’t see

Your staff are already pasting confidential situations into ChatGPT

A counseling conversation. A member’s marriage in crisis. A giving record. A minor’s name. Typed into a consumer AI tool that may retain it, train on it, or surface it later. You can’t un-send it — and today, you may never even know it happened.

Generic enterprise DLP was built to catch credit-card and Social-Security numbers. It is blind to the thing that actually creates liability in a church: the narrative of someone’s worst week, written in plain language.

Legal & insurance exposure

Counseling content and member data sent to a third party you never vetted — the kind of disclosure your liability carrier and your attorney would very much like to have been asked about first.

A breach of pastoral trust

People tell their church things they tell no one else. A confidence that leaks into a vendor’s training set isn’t a bug report — it’s a betrayal of the relationship your ministry runs on.

Reputational damage

One headline about a congregant’s private crisis surfacing from an AI tool undoes years of carefully built trust — and travels fast through exactly the peer networks you sell into.

Built for the risk owner

Everything the person who signs the contract needs to say yes

That’s the exposure. Here’s what you get to contain it. The Lead Pastor will love what it does — but you’re the one who has to defend it to the board, the insurer, and the IT director.

Routed through contractual ZDR endpoints

Foundation-model traffic travels through enterprise zero-data-retention agreements with retention-for-training contractually disabled — not a self-serve toggle, an executed contract.

A per-user audit trail

Who ran what, and when — never the content itself. The “who did what” record your access reviews, your board, and your insurer ask for.

Proof of how AI was used

When a staff member or student opts into a provenance session, every prompt and reply is captured as a tamper-evident, hash-chained record — post-Airlock content only, so nothing sensitive is newly stored. They export a signed bundle a supervisor, grader, or board can verify independently. Admins see that a session happened; never what was in it.

Sign in with the identity you already have

Staff authenticate through your existing identity provider — Google Workspace, Okta, or Microsoft Entra — over single sign-on that’s live today. No new passwords, no shadow accounts, no tool sprawl for your IT director.

Access that follows your directory

Directory Sync provisions access from the groups you already manage. Add someone to the right group and they’re in; remove a departing staff member and their access goes with them — no separate user list to keep in step by hand.

Your church, isolated

Each church’s data lives in its own isolated tenant — never visible to another. Isolation scales from a shared schema to a dedicated database without changing how it works, and even the short-lived map that reverses the Airlock’s placeholders runs on its own isolated store.

Spend governance built in

A per-tenant budget ceiling means a runaway script or a compromised login can’t quietly drain your AI budget. Predictable cost is a first-class feature, not an afterthought.

Designed for SOC 2 Type II

Isolated data, no raw-prompt logging, ZDR routing — architected to the standard from day one. Formal certification follows our first paid pilots; we won’t blur the line.

The Privacy Airlock

One gateway every prompt has to pass through

The Airlock runs on our infrastructure, in front of every model call. In three passes it removes what should never leave your walls — then lets a useful, fully reconstituted answer back in.

  1. 01

    Strips the obvious PII

    Names, emails, phone numbers, addresses, dates. The structural identifiers any compliance team expects to be removed — gone before the prompt leaves our gateway.

  2. 02

    Redacts the trauma generic tools miss

    Infidelity, abuse, addiction, a minor’s name, a family in crisis. Secular DLP was built to catch credit-card numbers; it is blind to the narrative pastoral detail that actually creates liability in a church. This is what we built for.

  3. 03

    Substitutes, then restores — locally

    Every sensitive span is swapped for a reversible placeholder, so the external model only ever sees “PERSON_1.” The real text is restored on our side, after the response returns — never in the prompt that egresses. The map that makes the swap reversible lives in a dedicated, isolated store — kept apart from every other church’s and from the billing ledger, and discarded shortly after the exchange.

If it can’t scrub, it doesn’t send.

The Airlock is fail-closed. If any part of the scrubber errors or drops offline, the request is terminated on the spot — never forwarded un-scrubbed. The default is to fail safe, not to fail open. That single rule is the difference between a privacy promise and a privacy product.

How it works

The model does the work. It just never sees who it’s for.

Like an airlock on a spacecraft, nothing moves between your people and the outside model without passing through a sealed, controlled chamber — in both directions.

  1. 1 A staff member writes A prompt in the extension or dashboard
  2. Our infrastructure 2 The Airlock scrubs PII + pastoral trauma removed; tokens substituted
  3. 3 ZDR endpoint Anonymized request to the model, retention-for-training off
  4. Our infrastructure 4 Reconstituted locally Placeholders restored on our side, after the reply
  5. 5 The staff member reads A complete, useful answer

The only text that ever crosses to the model is already anonymized. The mapping back to real names lives only on our side, in tenant-scoped storage, and expires on a short timer.

Precision over hype

We choose our words as carefully as we handle your data

You’re buying integrity. So we won’t sell it with claims we can’t stand behind. Here’s how we talk about the hard parts.

  • We won’t tell you “nothing is ever stored.” Foundation-model traffic is routed through contractual zero-data-retention endpoints, with retention-for-training disabled.

  • Even then, “zero” isn’t literally zero. A provider may still retain a request that’s flagged for safety review, or where the law requires it. We say that out loud rather than burying it.

  • We’re designed for SOC 2 Type II — not yet certified. We’ll always tell you which is which, and show you exactly where we are in the process.

The upgrade — once you’re on the platform

Then, your church’s voice and its doctrine on tap

Once your staff’s work already flows through the Airlock, you can switch on the Theological Audit Engine. It grounds answers in your own sermon archive and audits drafts against your church’s confessional standard.

Privacy is what gets the contract signed. This is what makes the platform impossible to leave. But first things first — the Airlock comes first.

  • Answers in your own pastor’s voice, grounded in your church’s sermon archive
  • Draft auditing against your confessional standard — Book of Concord, Westminster, your own statement of faith
  • Alignment and divergence, surfaced with citations — it doesn’t claim neutrality

Pricing

Priced for the whole staff — not per seat

We count users so you can run access reviews, audit activity, and true-up at renewal. We never bill by them. Counting is what makes a flat license safe to operate — it’s free to you.

One flat license, keyed to your size

You pay a predictable enterprise fee based on your church — not a meter that climbs every time you add a staff member.

Your whole team, on purpose

Per-seat pricing tempts you to leave your most overworked junior staff off the platform — the exact people most likely to paste something they shouldn’t. So we don’t price that way.

You pay your own model usage

Token costs pass straight through at cost, governed by a budget ceiling you control. We don’t mark up the AI; we secure it.

Enterprise churches buy by PO and invoice. Tell us your size and we’ll scope a license.

Talk to us about a license

Questions a careful buyer asks

Straight answers

The hard ones, answered the way we’d want them answered if we were buying.

Does this mean nothing we send is ever stored?

No — and we won’t claim that. Traffic is routed through contractual zero-data-retention endpoints with retention-for-training disabled. A provider may still retain a request that gets flagged for safety review, or where the law requires it. That’s the honest answer, and it’s still a dramatically smaller footprint than a staff member pasting into a consumer chatbot.

Do the AI providers train their models on our data?

No. The endpoints we route through have retention-for-training contractually disabled at the organization level. That contract is the foundation of the whole product.

How do our staff actually use it day to day?

Through a browser extension and a web dashboard. They sign in with your church’s existing identity provider — Google Workspace, Okta, or Microsoft Entra — using the same login they already have, so there’s nothing new for them to remember. Directory Sync provisions access from the groups you already manage and removes it when someone leaves, so IT doesn’t maintain a second user list.

What about our own sermons and member records?

Your tenant’s data is isolated to your church and never visible to another. When private content is used to ground an answer, it passes through the same Airlock as a typed prompt before anything egresses.

Can our staff prove how they used AI — for a grader, a board, or a policy?

Yes. A staff member or student can work inside an opt-in provenance session: every prompt and AI response is captured as a tamper-evident, hash-chained record (post-Airlock content only), and they export a signed attestation bundle anyone can verify independently. It’s an honest record of AI use through the platform — it can’t prove what someone did in another tab, and we don’t claim it does. Admins see that a session happened, never its contents.

Are you SOC 2 certified?

We are designed for SOC 2 Type II from day one — isolated data, no raw-prompt logging, ZDR routing. Formal certification follows our first paid pilots. We won’t blur the line between “designed for” and “certified,” and we’ll show you exactly where we are.

Where does the theological auditing fit in?

It’s a premium module you switch on once your staff’s work already flows through the Airlock — doctrinal alignment auditing and answers in your church’s own voice. Privacy comes first; doctrine is the upgrade.

Get the conversation started

See it against your own church’s risk profile

We’ll walk you and your IT director through the Airlock, the audit trail, and exactly where we are on compliance — no overclaiming, no pressure.

Request early access Email us a question