Global constant, environment variable, config?

As you mentioned a lack of formal training earlier, I hope you have somebody on the development team with some security background, because that sounds like a fairly difficult system to secure, with potentially significant liability exposure if it’s not done properly.

I am the development team. Currently accepting applications, zero pay!

I’ll have to teach myself the nuances of secure data-handling at some point soon, or use the non-secure version as part of a portfolio to land a job

If you have any lawyer friends, ask them what sort of legal exposure you might have here and what you can do to mitigate it. This could end very badly for you, I fear. A negligently designed system that results in sensitive data being exposed, resulting in pissed-off lawyers, of all people, could potentially end up bankrupting you.

Please partner with or hire somebody with serious experience to at least audit your design. This is not idle chatter here.

Absolutely. In all seriousness I wouldn’t attempt to release anything without taking proper security measures, etc. That would be very bad from both a moral and self-preservation standpoint.

The only realistic option I have at this point is tucking the app away until I have the means to hire someone, or selling the app to someone who can properly complete it.