Skip to main content

Founding-cohort pricing: 25% off for life when you join the first 12 academies. 58% filled.

MatCommunity

Trust

Security

Effective date: 2026-05-17 · Last updated: 2026-05-17

MatCommunity is a small bootstrapped team that takes security seriously. We don’t cosplay enterprise — we just do the fundamentals well: encrypt everything, isolate payment processing through Stripe, use a small list of reputable sub-processors, and publish how we’d handle an incident. Anything below that’s unclear, email [email protected].

1. Encryption

  • In transit: TLS 1.2 or higher for every connection from the browser, the mobile apps, and our internal services. HSTS is preloaded; HTTP requests redirect to HTTPS at the edge.
  • At rest: AES-256 for the primary Postgres database, object storage, and backup volumes. Encryption is managed by Supabase (database) and Cloudflare (object storage at the edge).
  • Per-field encryption: sensitive fields (e.g. Stripe refresh tokens, OAuth credentials, signed-waiver PDFs) are encrypted at the application layer with envelope keys, on top of the storage-layer encryption.

2. Authentication

  • Passwords: bcrypt-hashed at rest (handled by Supabase Auth). We never see or log passwords.
  • Multi-factor authentication: available on all paid tiers via TOTP authenticator apps. Recommended for every owner and admin account; required on Affiliate and Network tiers.
  • Member apps: magic-link or OAuth (Apple, Google) via Supabase Auth. No member-facing passwords if the gym opts into magic-link mode.
  • Session management: JWT access tokens with short expiry and rotating refresh tokens. Suspicious-login signals (new device, new country) trigger re-authentication.

3. Payments

All card data is handled by Stripe, which is PCI-DSS Level 1 certified — the highest tier in the standard. MatCommunity servers are out of PCI scope: cards are tokenized on the client, the token is exchanged with Stripe server-to-server, and the raw PAN never touches our infrastructure. We see only the last-four and the tokenized customer reference.

Stripe Connect routes member payments directly to each gym’s own connected Stripe account. Webhooks are signed and verified; every state-changing call uses idempotency keys.

4. Hosting

  • Static site: Cloudflare Pages with global edge distribution and DDoS protection.
  • API: Railway, US-East primary region.
  • Database: Supabase Postgres, US-East primary region, with read replicas for analytics workloads.
  • Backups: daily encrypted backups with 30-day retention. Point-in-time recovery enabled for the Postgres cluster.
  • Disaster recovery: documented runbook with a target recovery time objective (RTO) of 4 hours and recovery point objective (RPO) of 24 hours. Drills run quarterly once we’re post-alpha.

5. Access controls

The product enforces role-based access control with four levels:

  • Owner — full access including billing, data export, and team management.
  • Admin — full operational access; cannot change billing or delete the account.
  • Coach — can run classes, take attendance, promote belts; cannot see financials.
  • Member — only their own profile, schedule, payments, and progress.

A read-only audit log tracking who did what and when is available on Black Belt tier and above — 90-day rolling retention by default, extended retention on Affiliate and Network. Internal MatCommunity staff access to production data is gated by role, logged, and requires explicit approval per access event.

6. Compliance roadmap

  • SOC 2 Type 1 — audit scheduled for Q4 2026.
  • SOC 2 Type 2 — observation window through Q3 2027.
  • GDPR: a Data Processing Addendum is available on request; email [email protected] or see the DPA page.
  • CCPA: “Do Not Sell My Personal Information” is honored by default — we don’t sell personal data.
  • PCI-DSS: minimal scope (SAQ-A) by virtue of tokenizing all card data through Stripe.

7. Responsible disclosure

We welcome security research. Report vulnerabilities to [email protected]. PGP key: [public key fingerprint — coming soon]. We acknowledge within one business day and coordinate disclosure on a 90-day window from acknowledgement.

Rewards. We send swag for low-risk reports and pay monetary bug bounties for validated high-severity findings. Severity assessment uses CVSS 3.1.

Safe harbor. Good-faith research conducted in accordance with the disclose.io standard will not be subject to legal action by MatCommunity. Do not access data that isn’t your own, do not run automated scans against the production API without coordination, and do not extract or retain member data — if you stumble into something, stop and email us.

8. Sub-processors

For the full list of sub-processors and their regions, see Section 4 of the Privacy Policy. Every sub-processor undergoes a security review before on-boarding and is contractually bound to security and privacy obligations at least as protective as ours.

9. Incident response

In the event of a confirmed data breach affecting your gym, we will notify affected account owners within 72 hours per GDPR Article 33, including what was accessed, when, the steps we’ve taken to contain it, and the steps you should take. We publish ongoing status updates at status.matcommunity.com (live once we’re post-alpha). Our internal runbook covers containment, eradication, forensics handoff, customer notification, and post-incident review.