ScoutAtlas
Security

How we protect your club’s data.
Without the marketing fluff.

Football intelligence is sensitive. A leaked shortlist costs a deal. A leaked medical costs a career. Below is the full Scout Atlas security model — what we do, how we do it, and what we explicitly choose not to do.

The pillars

Six commitments. Auditable.

Pillar 01

Encrypted by default

TLS 1.3 in transit. AES-256-GCM at rest. Deal Room messages are end-to-end encrypted with per-room keys we cannot read.

Pillar 02

Identity verified

Magic-link auth with optional TOTP MFA. Domain-bound work emails. Role assignment requires admin approval, not a self-checkbox.

Pillar 03

Row-level isolation

Postgres RLS enforces club boundaries at the database layer. A bug in the app cannot expose another club’s data.

Pillar 04

Audit by default

Every authenticated action — view, score, message, override — is logged immutably. Club admins can export their org’s audit log on demand.

Pillar 05

Compliance-aware

GDPR, KVKK, SOC 2 Type II target Q4 2026. Founder-led data protection officer handles every request inside 30 days.

Pillar 06

No model training without consent

Public datasets train Match and Vision. Member-club private data is encrypted with per-club keys and is never used to train cross-club models without written consent.

Controls register

The full list, by area.

If your security team has a procurement questionnaire, this section answers about 70% of it. We’ll happily fill in the rest.

Authentication & access

  • Supabase magic-link OTP, hardware-key TOTP optional
  • Per-role permission matrix enforced in middleware + RLS
  • Club admins control invite, role, and revocation
  • Session expiry: 7 days idle, 30 days absolute, configurable per org

Data protection

  • AES-256-GCM at rest for sensitive columns (PII, biometric data)
  • TLS 1.3 in transit, HSTS preload, modern cipher suites only
  • Per-club key envelopes for private GPS/biometric streams
  • Row-level security in Postgres for every club-scoped table

Application security

  • Strict Content-Security-Policy + Trusted Types
  • Input validation on every endpoint (allowlist, max-length, type coercion)
  • Prepared statements only — no string concatenation in SQL
  • Dependabot + secret scanning enabled on every commit

Operational

  • Quarterly penetration test by an independent firm (year 2 onwards)
  • Background-checked engineers; no offshore contractors with prod access
  • Encrypted backups, 30-day retention, tested quarterly
  • Incident response runbook with founder-on-call rotation

Privacy

  • GDPR + KVKK Article-15/Article-17 requests answered inside 30 days
  • No data resale. No advertising tracking. No cross-context analytics.
  • EU-region data residency available on Analyst tier and above
  • Data deletion on request: 30-day soft delete, then cryptographic erasure
What we don’t do

The things we won’t compromise on.

Won’t do

Sell or share your data.

No data resale, no broker partnerships, no “anonymized” datasets in the back-office. Your roster is yours.

Won’t do

Train models on private data without consent.

Member-club private inputs (GPS, biometrics, medical) train no models. Period. Public datasets are publicly disclosed.

Won’t do

Read your Deal Room messages.

Deal Room messaging is end-to-end encrypted. Even if a court order asked us, we couldn’t produce the contents.

Won’t do

Bury incidents.

Any security incident affecting member data is disclosed to affected clubs within 72 hours, with a written post-mortem inside 14 days.

Vulnerability disclosure

Found a flaw? We want to hear from you.

We run an open responsible-disclosure program. Email security@scoutatlas.co with details and reproduction steps. We respond within 48 hours and credit researchers in our changelog when patches ship.

Email security@Read security policy