Skip to content
FitFocus

Security

Coach and client data, handled with care

FitFocus is built around tenant isolation, encryption, and least-privilege access. This page is a running summary of the controls we have in place today, and the ones we are still working towards.

Book a demoRead the Privacy Policy

How we protect your data

The controls behind every FitFocus workspace

Encryption

All data is encrypted in transit and at rest on our managed Postgres platform.

  • TLS 1.2+ enforced across every public endpoint, with HSTS on the marketing site and applications.
  • Data at rest is encrypted on Supabase-managed Postgres using AES-256.
  • File uploads in Supabase Storage inherit the same at-rest encryption.
  • Passwords are hashed with bcrypt by Supabase Auth, never stored in plain text.

Access controls

Tenant isolation is enforced at the database layer, not in application code.

  • Every tenant-scoped table carries a tenant_id column with Row Level Security policies applied.
  • Role-based access controls separate coaches, gym owners, team members, clients, and platform admins.
  • Service-role credentials are scoped to Edge Functions and never exposed to client bundles.
  • Administrative access to production requires separate credentials and is audited.

Backups and durability

Managed backups and point-in-time recovery mean a bad day stays a bad day, not a catastrophic one.

  • Daily managed backups of the primary Postgres database via Supabase.
  • Point-in-time recovery available within the retention window offered by our database provider.
  • File storage backed by redundant object storage on Supabase Storage.

Incident response

If something goes wrong, we communicate early and often.

  • A documented runbook covers triage, containment, customer communication, and post-incident review.
  • Affected workspace owners are notified without undue delay after we confirm a material incident.
  • Post-incident write-ups are shared for significant events that impact availability or data integrity.

People and process

Access to production systems is limited and monitored.

  • Least-privilege access to production for engineering staff; administrative access requires additional controls.
  • All team accounts protected by single sign-on and hardware-backed second factors.
  • Code changes land through peer review and CI checks before reaching production.

Application security

Secure-by-default patterns are baked into how we build.

  • Input validation via zod schemas on every boundary that accepts user data.
  • Content Security Policy and modern security headers on marketing and application surfaces.
  • Automated dependency update and vulnerability scanning in CI.
  • No secrets in client bundles, verified by tooling and code review.

Compliance

Where we stand on frameworks and attestations

We publish the truth about our compliance posture, not badges we have not earned. The table below is updated whenever a new attestation is issued or a framework status materially changes.

FrameworkStatusNotes
Australian Privacy Act 1988 (APPs)AlignedOur handling of personal information is designed around the thirteen Australian Privacy Principles.
GDPR (EU) 2016/679AlignedGDPR-aligned rights and processor obligations are reflected in the Privacy Policy and DPA.
PCI DSSNoticeCardholder data is never handled by FitFocus. Stripe (PCI DSS Level 1) handles all payment processing.
SOC 2 Type IIWorking towardsNo report has been issued yet. We are working towards SOC 2 readiness and will publish attestations once they are available.
ISO/IEC 27001Working towardsNot currently certified. Listed here so prospective enterprise customers can plan accordingly.

Responsible disclosure

Found a vulnerability? Tell us.

We welcome reports from security researchers and users. Please share the issue privately, give us a reasonable window to remediate before publishing, and act in good faith, no data exfiltration, no service disruption, and no accessing accounts other than ones you own or have explicit permission to test.

We acknowledge valid reports and credit researchers where appropriate.

security@fitfocus.ioAcceptable Use Policy

What to expect

  • Acknowledgement from our security team.
  • Triage and confirmation of the issue, with regular updates through to remediation.
  • Coordinated disclosure once a fix is in place, with credit if you would like it.

Subprocessors

Who we work with

A small, carefully chosen set of vendors help us run the platform. No third-party analytics or advertising tools are used on the marketing website in v1.

View subprocessorsTrust centreData Processing Addendum