How we protect your club.

Card data never touches our servers. Payment fields are hosted by Stripe inside their iframe; we receive only tokens. That keeps us in scope for SAQ-A — the lightest PCI questionnaire — and keeps your club out of card-handling liability entirely.

We do not store card numbers, CVVs, or magstripe data anywhere. Stripe holds the vaulted payment method. We hold a customer id and a payment-method id. That's it.

Player photos, roster documents, and uploaded attachments live in AWS S3 with server-side encryption using AWS KMS-managed keys. Object ACLs are private; access is gated through signed URLs that expire in minutes, not days.

Every row in our database carries a club_id, and every server query filters by it at the data layer — not just in application code. A bug in app code cannot leak rows across clubs because the database itself enforces the boundary.

All traffic is HTTPS with HSTS preload. We force TLS 1.2+ and prefer 1.3. Static assets ship over a CDN with the same posture. No mixed content, no http:// fallback, no exceptions.

AUTH_SECRET, Stripe webhook secrets, and database credentials are rotated on a fixed cadence and immediately on any suspected exposure. Sessions are signed and expire; revocation is instant from the admin console.

Engineers do not have ambient access to production data. Database access requires a per-request approval and is logged. Customer-support tooling shows only what is necessary to answer a specific ticket and redacts the rest.

Under-13 profiles are managed by a verified parent or guardian. We collect only what is required to run the club — name, date of birth for age-group placement, photo, emergency contact — and never market to or profile children.