Security Overview
Last updated: February 16, 2026
Peer10 handles sensitive data about children and families. We take security seriously and implement multiple layers of protection across our infrastructure, application, and operations. This page provides an overview of our security practices for organizations evaluating Peer10.
Infrastructure Security
- Managed cloud infrastructure: Hosted on DigitalOcean's managed platform with automated security patching, DDoS protection, and network isolation
- Encryption at rest: All data stores use AES-256 encryption at rest, including the primary database, media storage, and backups
- Encryption in transit: All connections use TLS 1.3. HSTS is enforced across all domains. Certificate transparency monitoring is enabled
- Automated backups: Daily automated backups with point-in-time recovery. Backups are encrypted and stored in a separate region
- CDN-backed media delivery: Media content is served through a CDN with presigned URLs — no permanent public links to uploaded content
Application Security
- Tenant isolation: Every database query is scoped to the requesting organization. Row-level security (RLS) is enforced at the database layer, preventing cross-tenant data access even in the event of application-level bugs
- Role-based access control (RBAC): Five-level role hierarchy (director, admin, coach, team parent, parent/athlete) enforced in middleware on every request
- Input validation: All API inputs are validated using Zod schemas at the boundary. Parameterized queries via Drizzle ORM prevent SQL injection
- OWASP Top 10: Our development practices address the OWASP Top 10 including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, XSS, insecure deserialization, known vulnerabilities, and insufficient logging
- CSRF protection: Cross-site request forgery tokens are required for all state-changing operations
- Content Security Policy: CSP headers restrict script sources and prevent XSS attacks
Authentication Security
- Industry-standard auth: Authentication handled by Supabase Auth with bcrypt password hashing (cost factor 10+)
- Multi-factor authentication: MFA support available for all users
- Secure session management: JWT tokens with short expiry, automatic refresh via HTTP-only cookies. Sessions are invalidated on password change
- Rate limiting: Authentication endpoints are rate-limited to prevent brute force attacks
Data Security
- Organization-scoped data: All application data is scoped to the organization level. There is no mechanism for cross-organization data access in the application
- No public data: Player profiles, media, and organization data are never publicly accessible or search-engine indexed
- Data export: Organization administrators can export their data at any time
- Data deletion: All data permanently deleted within 30 days of account deletion request
AI Security
- No PII to AI providers: When using AI features, we send only anonymized entity IDs and data — no personally identifiable information reaches third-party AI services
- Organization-scoped: AI processing is strictly scoped to the requesting organization's data
- No model training: Neither Anthropic nor OpenAI use our data for model training, per our data processing agreements
- Human oversight: All AI outputs are advisory — they require human review before any action is taken
Incident Response
Our incident response plan includes:
- Detection: Automated monitoring and alerting for anomalous access patterns, failed authentication attempts, and infrastructure anomalies
- Containment: Defined procedures for isolating affected systems and preventing further unauthorized access
- Notification: Affected organizations notified within 72 hours of a confirmed data breach. Relevant regulatory authorities notified as required by law
- Recovery: Restoration from encrypted backups with post-incident review
- Post-mortem: Root cause analysis and preventive measures documented and shared with affected parties
Vulnerability Disclosure
We welcome responsible security research. If you discover a vulnerability in our platform:
- Email: [email protected]
- Please provide sufficient detail for us to reproduce and fix the issue
- Allow us a reasonable timeframe (90 days) to address the vulnerability before disclosure
- Do not access, modify, or delete data belonging to other users during testing
We will not take legal action against researchers who follow responsible disclosure practices.
Compliance Roadmap
| Certification | Status |
|---|---|
| COPPA Compliance | Active — including 2025 amendments |
| GDPR Compliance | Active — DPA available |
| CCPA/CPRA Compliance | Active |
| SOC 2 Type II | Planned — audit engagement targeted |
| PCI DSS (SAQ A) | Active via Stripe |
Penetration Testing
We conduct periodic penetration testing through qualified third-party security firms. Results and remediation summaries are available to enterprise customers under NDA.
Employee Security
- Background checks for all personnel with access to production data
- Principle of least privilege for all access grants
- Security awareness training for all team members
- Confidentiality agreements signed by all personnel
Contact
For security questions or to request additional documentation:
- Security team: [email protected]
- Data Protection Officer: [email protected]