Security at BallBot

Your clients trust you with their data. You can trust us with yours. Here's how we protect it.

🔐 Encryption

All client personally identifiable information (PII) — email addresses, phone numbers, physical addresses, and emergency contacts — is encrypted using AES-256-GCM, the same standard used by banks and government agencies.

  • Data is encrypted at rest in the database. Raw PII is never stored in plaintext.
  • Data is encrypted in transit via TLS 1.3 on all connections.
  • Hashed lookup columns allow searching without decrypting the entire dataset.

🪪 Authentication

BallBot uses Google OAuth for sign-in. We never store passwords. Your Google credentials are handled entirely by Google — we only receive a secure token.

  • Optional TOTP-based multi-factor authentication (MFA) for an extra layer of security.
  • Session tokens are short-lived and automatically refreshed.
  • All authentication flows are handled by Supabase Auth, a battle-tested auth provider.

🧱 Data Isolation

Every table in BallBot is protected by Row Level Security (RLS) policies. This means Coach A can never see, query, or modify Coach B's data — even if someone found a way to bypass the application layer.

  • Tenant isolation is enforced at the database level, not just the application level.
  • Every query is automatically scoped to the authenticated coach's ID.
  • No shared tables or cross-tenant data leakage is possible.

📋 Audit Logging

Every action in BallBot is logged with a timestamp, the actor who performed it, and the IP address. This creates a complete, tamper-resistant audit trail.

  • Client record creation, updates, and archival are all logged.
  • Message sends, payment events, and waiver signatures are tracked.
  • Audit logs are retained and available for compliance reviews.

🇪🇺 GDPR Compliance

BallBot is built with privacy by design. We support GDPR rights including:

  • Right to erasure: Account deletion with a 30-day grace period. After 30 days, all data is permanently purged.
  • Data portability: Export all your data at any time in standard formats (CSV, JSON).
  • Consent management: Cookie consent banner on the marketing site. Analytics only load after explicit consent.
  • Data minimization: We only collect data necessary for the service to function.

🏗️ Infrastructure

BallBot runs on industry-leading infrastructure with enterprise-grade security certifications.

Vercel

Application hosting
SOC 2 Type II certified

Supabase

Database & auth
SOC 2 Type II certified

Stripe

Payment processing
PCI DSS Level 1

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure. Please report it to:

security@ballbot.coach