Security

Your data, and your clients' data, kept safe

When you move your coaching business to FitFocus, you are trusting us with sensitive client information. We take that seriously. This page lays out the controls we have in place today, and the ones we are still working towards, in plain language.

Book a demo Read the Privacy Policy

How we protect your data

Six layers of protection behind every workspace

Encryption

All data is encrypted in transit and at rest on our managed Postgres platform.

TLS 1.2+ enforced across every public endpoint, with HSTS on the marketing site and applications.
Data at rest is encrypted on Supabase-managed Postgres using AES-256.
File uploads in Supabase Storage inherit the same at-rest encryption.
Passwords are hashed with bcrypt by Supabase Auth, never stored in plain text.

Access controls

One coach's data is never visible to another. Isolation is enforced at the database layer, not left to application code.

Every tenant-scoped table carries a tenant_id column with Row Level Security policies applied.
Role-based access controls separate coaches, gym owners, team members, clients, and platform admins.
Service-role credentials are scoped to Edge Functions and never exposed to client bundles.
Administrative access to production requires separate credentials and is audited.

Backups and durability

Your clients' history is safe. Managed backups and point-in-time recovery mean a bad day stays a bad day, not a catastrophe.

Daily managed backups of the primary Postgres database via Supabase.
Point-in-time recovery available within the retention window offered by our database provider.
File storage backed by redundant object storage on Supabase Storage.

Incident response

If something goes wrong, you hear it from us early, not from someone else later.

A documented runbook covers triage, containment, customer communication, and post-incident review.
Affected workspace owners are notified without undue delay after we confirm a material incident.
Post-incident write-ups are shared for significant events that impact availability or data integrity.

People and process

Only the people who need access to production systems have it, and that access is monitored.

Least-privilege access to production for engineering staff; administrative access requires additional controls.
All team accounts protected by single sign-on and hardware-backed second factors.
Code changes land through peer review and CI checks before reaching production.

Application security

Secure-by-default patterns are baked into how we build.

Input validation via zod schemas on every boundary that accepts user data.
Content Security Policy and modern security headers on marketing and application surfaces.
Automated dependency update and vulnerability scanning in CI.
No secrets in client bundles, verified by tooling and code review.

Compliance

An honest view of where we stand

We publish the truth about our compliance posture, not badges we have not earned. We keep this table current whenever a new attestation is issued or a framework status materially changes, so what you see here is what you get.

Framework	Status	Notes
Australian Privacy Act 1988 (APPs)	Aligned	Our handling of personal information is designed around the thirteen Australian Privacy Principles.
GDPR (EU) 2016/679	Aligned	GDPR-aligned rights and processor obligations are reflected in the Privacy Policy and DPA.
PCI DSS	Notice	Cardholder data is never handled by FitFocus. Stripe (PCI DSS Level 1) handles all payment processing.
SOC 2 Type II	Working towards	No report has been issued yet. We are working towards SOC 2 readiness and will publish attestations once they are available.
ISO/IEC 27001	Working towards	Not currently certified. Listed here so prospective enterprise customers can plan accordingly.

Responsible disclosure

Found a vulnerability? Tell us.

We welcome reports from security researchers and users. Please share the issue privately, give us a reasonable window to remediate before publishing, and act in good faith: no data exfiltration, no service disruption, and no accessing accounts other than ones you own or have explicit permission to test.

We acknowledge valid reports and credit researchers where appropriate.

security@fitfocus.io Acceptable Use Policy

What to expect

Acknowledgement from our security team.
Triage and confirmation of the issue, with regular updates through to remediation.
Coordinated disclosure once a fix is in place, with credit if you would like it.

Subprocessors

The vendors behind the platform

A small, carefully chosen set of vendors help us run the platform, and you can see every one of them. No third-party analytics or advertising tools are used on the marketing website in v1.

View subprocessors Trust centre Data Processing Addendum