How we protect your club’s data.
Without the marketing fluff.
Football intelligence is sensitive. A leaked shortlist costs a deal. A leaked medical costs a career. Below is the full Scout Atlas security model — what we do, how we do it, and what we explicitly choose not to do.
Six commitments. Auditable.
Pillar 01
Encrypted by default
TLS 1.3 in transit. AES-256-GCM at rest. Deal Room messages are end-to-end encrypted with per-room keys we cannot read.
Pillar 02
Identity verified
Magic-link auth with optional TOTP MFA. Domain-bound work emails. Role assignment requires admin approval, not a self-checkbox.
Pillar 03
Row-level isolation
Postgres RLS enforces club boundaries at the database layer. A bug in the app cannot expose another club’s data.
Pillar 04
Audit by default
Every authenticated action — view, score, message, override — is logged immutably. Club admins can export their org’s audit log on demand.
Pillar 05
Compliance-aware
GDPR, KVKK, SOC 2 Type II target Q4 2026. Founder-led data protection officer handles every request inside 30 days.
Pillar 06
No model training without consent
Public datasets train Match and Vision. Member-club private data is encrypted with per-club keys and is never used to train cross-club models without written consent.
The full list, by area.
If your security team has a procurement questionnaire, this section answers about 70% of it. We’ll happily fill in the rest.
Authentication & access
- Supabase magic-link OTP, hardware-key TOTP optional
- Per-role permission matrix enforced in middleware + RLS
- Club admins control invite, role, and revocation
- Session expiry: 7 days idle, 30 days absolute, configurable per org
Data protection
- AES-256-GCM at rest for sensitive columns (PII, biometric data)
- TLS 1.3 in transit, HSTS preload, modern cipher suites only
- Per-club key envelopes for private GPS/biometric streams
- Row-level security in Postgres for every club-scoped table
Application security
- Strict Content-Security-Policy + Trusted Types
- Input validation on every endpoint (allowlist, max-length, type coercion)
- Prepared statements only — no string concatenation in SQL
- Dependabot + secret scanning enabled on every commit
Operational
- Quarterly penetration test by an independent firm (year 2 onwards)
- Background-checked engineers; no offshore contractors with prod access
- Encrypted backups, 30-day retention, tested quarterly
- Incident response runbook with founder-on-call rotation
Privacy
- GDPR + KVKK Article-15/Article-17 requests answered inside 30 days
- No data resale. No advertising tracking. No cross-context analytics.
- EU-region data residency available on Analyst tier and above
- Data deletion on request: 30-day soft delete, then cryptographic erasure
How Deal Room messages stay private.
Deal Room messaging is end-to-end encrypted using the same primitives as Signal — X3DH key agreement and the Double Ratchet — running entirely in the browser on the Web Crypto API. The server brokers ciphertext and public prekeys; it never holds the keys that decrypt a conversation.
Step 01
X3DH key agreement
Each member holds an Ed25519 signing key and an X25519 ECDH key. To open a channel, the initiator fetches the recipient’s prekey bundle — a signed prekey plus, when available, a one-time prekey — and runs a three-way Diffie-Hellman (3-DH) handshake. The signed prekey proves the bundle belongs to the recipient, not a server impersonating them.
Step 02
Double Ratchet
The shared secret seeds a Double Ratchet. An HKDF-SHA256 symmetric-key chain advances on every message, so a leaked key reveals nothing about earlier messages (forward secrecy). A Diffie-Hellman ratchet step on new ephemeral keys heals the session after a device is briefly compromised (post-compromise security).
Step 03
AES-256-GCM message seal
Each per-message key seals the plaintext with AES-256-GCM (authenticated encryption, 96-bit IV). The server stores only the ciphertext, IV, and the sender’s public ephemeral. It has no path to the message keys derived on the client.
Keys the server never holds.
Private identity, prekey, and ratchet keys are generated and kept on member devices. The bundle endpoint stores only opaque public prekeys; message keys exist only in browser memory. The practical consequence: even Scout Atlas cannot read Deal Room contents — there is no server-side key to compel.
Where this stands today.
This is the encryption design currently shipping at an early (v0) stage. The cryptography is implemented and exercised by tests, but it has not yet had an independent third-party audit and we do not yet describe it as production-hardened. The prekey channel degrades gracefully — one-time prekeys carry a reserve floor, so a drained pool falls back to signed-prekey-only X3DH rather than failing open. We will update this page as the design matures and is reviewed.
EU-region residency and transfer basis.
EU-based member clubs can request EU-region data residency on Analyst tier and above. Where personal data is transferred outside the EEA or UK, we rely on the European Commission’s Standard Contractual Clauses (SCCs) or an applicable adequacy decision; transfers outside Türkiye are conducted under the safeguards required by KVKK Article 9. The full policy lives in our data-protection notice.
The things we won’t compromise on.
Sell or share your data.
No data resale, no broker partnerships, no “anonymized” datasets in the back-office. Your roster is yours.
Train models on private data without consent.
Member-club private inputs (GPS, biometrics, medical) train no models. Period. Public datasets are publicly disclosed.
Read your Deal Room messages.
Deal Room messaging is end-to-end encrypted. Even if a court order asked us, we couldn’t produce the contents.
Bury incidents.
Any security incident affecting member data is disclosed to affected clubs within 72 hours, with a written post-mortem inside 14 days.
Found a flaw? We want to hear from you.
We run an open responsible-disclosure program. Email security@scoutatlas.co with details and reproduction steps. We respond within 48 hours and credit researchers in our changelog when patches ship.