Security & Compliance

All traffic between your browser and the platform is encrypted using TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.

Exercise data, participant responses, and all account information are stored in a SQLite database on a Railway persistent Volume. The underlying GCP disk storage is AES-256 encrypted at rest.

The application runs in a dedicated isolated container on Railway's private network. The database is not publicly accessible — it is only reachable from within the application container.

Data is stored on a Railway persistent Volume that survives deployments and restarts. Railway's underlying GCP infrastructure provides durable storage with redundancy built in.

Passwords are never stored in plaintext. We use bcrypt with a cost factor of 12, meaning even if the database were compromised, passwords could not be reversed.

Authentication uses server-side sessions with cryptographically signed, HTTP-only cookies. Cookies are marked Secure in production and expire after 7 days. Sessions are stored server-side in the database — there is no sensitive data in the cookie itself.

All database queries use parameterised statements via the built-in Node.js SQLite driver. User input is never interpolated directly into SQL.

Every API endpoint that accesses exercises, reports, scenarios, or account data requires a valid authenticated session. Unauthenticated requests receive a 401 response and are never served any data.

All inputs are validated on the server. Client-side validation is a convenience only — the server never trusts data from the browser without checking it independently.

Exercises, participant responses, reports, and custom scenarios are all tagged with an owner_id tied to your account. Every database query for protected resources includes a mandatory owner filter — it is architecturally impossible for one account to read another account's data.

Participants join exercises via a unique exercise link without creating an account. They can only see and respond to injects for the specific exercise they joined — they have no access to any other exercises, reports, or account data.

The built-in scenario library is read-only and shared across all accounts. No account can modify, delete, or add to the shared library. Custom scenarios you create are private to your account only.

Payment is completed inside Stripe's hosted Checkout — your card number, CVC, and expiry are entered directly into Stripe's interface and processed on their infrastructure. Our servers only receive a Stripe Customer ID and subscription status once payment is confirmed.

Stripe notifies our server of payment events via signed webhooks. Every incoming webhook is verified against a Stripe signing secret before any action is taken — preventing any spoofed payment confirmations.

Your exercise data, participant responses, and account details are never sold to third parties, shared with partners, or used for advertising purposes.

Your exercise scenarios, participant responses, and facilitator notes are your data. We do not use them to train machine learning models or any other AI systems.

The platform uses a single session cookie for authentication. There are no analytics trackers, advertising pixels, or third-party scripts loading on authenticated pages.