Security
Built for coaches who handle real client data.
Health data, body photos, and payments deserve real security. Here's how we protect them and exactly which third parties touch your data.
Encrypted in transit and at rest
TLS 1.3 everywhere. AES-256 at rest on Postgres and object storage. Sensitive columns (wearable tokens, refresh tokens) get column-level encryption via pgsodium.
Postgres Row-Level Security on every table
Multi-tenant separation enforced at the database level — not just in app code. A coach physically cannot read another coach's data. We test this with an automated suite that runs on every deploy.
PCI: we never see card data
All card data is handled by Stripe. We hold a Stripe customer ID and a payment-method reference. Your liability surface stops at our front door.
Daily automated backups + point-in-time recovery
Supabase PITR with 30-day retention. Quarterly restore drills in staging. Cross-region replication for sensitive content (progress photos).
Audit logging on every state-changing action
Append-only audit log records who did what, when, from where. Append-only at the database role level — admins literally can't delete entries.
2FA mandatory at Pro+
TOTP-based two-factor authentication mandatory at Pro and above. Passkey (WebAuthn) support on the roadmap. Revoke-all-sessions button on every account.
Compliance roadmap
- NowAustralian Privacy Act / APPDesigned-in from day one. AU data residency by default.
- NowGDPR + UK GDPRDPA available; EU sub-processors documented.
- NowCCPA / CPRACalifornia rights honoured; export, deletion, and opt-out from sale supported.
- RoadmapSOC 2 Type 1Via Drata. Targeted as we scale into US enterprise rollouts.
- RoadmapSOC 2 Type 2Issued after Type 1. Standard one-year continuous-monitoring window.
- RoadmapHIPAA-tier (Enterprise)BAA + scoped tenancy for US healthcare/rehab coaches.
Subprocessors
We list every third party that processes data on our behalf. We notify Pro+ customers in advance of changes.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Postgres database, Auth, Storage, Realtime, Edge Functions | ap-southeast-2 (Sydney) |
| Vercel | Web app hosting, edge runtime, CDN | Multi-region |
| Cloudflare | DNS, WAF, edge cache | Global |
| Stripe | Payments, Connect onboarding, Stripe Tax | Global |
| Resend | Transactional email | Multi-region |
| Mux | Video transcoding and HLS streaming | Multi-region |
| Firebase Cloud Messaging | Push notifications (FCM/APNs) | Global |
| Sentry | Error tracking | EU |
| PostHog | Product analytics, feature flags, session replay | US |
| Spike API | Wearable + MyFitnessPal data sync | EU |
| OpenAI / Anthropic | AI assistant + check-in summaries | US |
| Codemagic | Flutter mobile app build & deploy | EU |
Found a vulnerability?
Email security@leenenperformance.com with details. We'll acknowledge within one business day and won't pursue legal action against good-faith research.