Security

Athlete Foundry
Security Statement

Version 1.2

Last revised on: 1 January 2023



Because Athlete Foundry is a hosted Software-as-a-Service product, we recognize that the number one item to fundamentally “get right” in order to maintain and build customer confidence is to protect and treat customer data and security with the best possible technology, disciplined company processes, and smart authentication strategies.




ATHLETE FOUNDRY DOES NOT STORE CREDIT CARD INFORMATION

Our system integrates with BrainTree, which is a PCI-compliant payment processor. When entering credit card information, a request is made directly to BrainTree using SSL.




ACCESS TO ALL ATHLETE FOUNDRY SERVERS IS SECURE

  • Firewalls on all servers are set to default-deny.

  • Database connections are only accepted from other Athlete Foundry servers on the internal private subnet.

  • All communication with servers (outside of public HTTP/HTTPS access) is over encrypted secure shell (SSH) and password authentication is disabled. SSH authentication is available only via public/private key authentication.

  • All of Athlete Foundry’s servers are hosted on Amazon Web Services (AWS).



ATHLETE FOUNDRY SERVERS AND SOFTWARE ARE RUNNING THE LATEST VERSIONS OF SOFTWARE AND SECURITY PATCHES

We strive to keep all server software on the latest version; however, when that is not possible, we do ensure that the latest security patches are installed and up-to-date.




ATHLETE FOUNDRY IS WRITTEN TO PROTECT AGAINST SQL INJECTION ATTACKS

Athlete Foundry is built using protections for sanitizing query parameters in SQL statements. All development at Athlete Foundry follows the Open Web Application Security Project (OWASP) guidance and the Cloud Security Alliance (CSA) best practices.




DATA IS STORED SECURELY

Data is hosted through Amazon Web Services (AWS) with encryption enabled.




ACCESS TO ATHLETE FOUNDRY IS SECURE

While Multifactor authentication (MFA) is currently not required for all user access to the platform, access to Athlete Foundry is over a secure connection via login credentials.




ACCESS IS LOGGED

All user access is logged, monitored, and maintained.




EMPLOYEE SECURITY

All employees are required to sign a confidentiality agreement and administrative access is limited to only necessary individuals approved by the CEO. Each employee is given a separate login to the system and all access is logged, monitored, and maintained.




MINORS

Our platform is intentionally designed with safety in mind. We consider the Parent the “account holder.” With exception of student athlete chat and journal features, the Parent has full platform access and has sole approval authority for all student athlete “connection” requests and collegiate coach “follow” requests. While the Parent and student athlete will simultaneously get notified of such “connection” and “follow” requests, the Parent is the only person who can approve.


For parent and student athlete accounts, while only one is required for account creation, we recommend providing both an email and contact number.  If you provide both, your email will be used as your account ID for login purposes and will be the only method used for regular communications by Athlete Foundry.  We strictly use your contact number to aid in account verification during onboarding and will also use it for 2-factor authentication in the future. For your student athlete accounts, by providing email and/or contact number, the parent (you) consent to Athlete Foundry using this information only for the above purposes.  We fully comply with the U.S. Congressionally enacted Children’s Online Privacy Protection Act (COPPA) of 1998, and amended in 2012. We will never share any of your contact information nor will we ever call a student athlete, period.


Information about why we do this and our application of the U.S. Congressionally enacted Children’s Online Privacy Protection Act (COPPA) of 1998, and amended in 2012, is outlined in our privacy policy at: https://www.athletefoundry.com/privacy




CONTACT WITH COLLEGIATE COACHES

Athlete Foundry is not an agent, scout, nor recruiter, as such we do not independently contact collegiate coaches, institutions or teams on the specific subject of individual Athlete Foundry Customers. We permit our customers to share their data directly with the public at-large. In addition, we permit our customers to share additional in-depth data directly to collegiate coaches who have been approved by the parent to “follow” a student athlete. No active 2-way communications by any collegiate coach through the platform is permitted at this time in order to present a strict compliance posture. Details can be found in our athletic governance compliance statement at: https://www.athletefoundry.com/athleticgovernance




BACKUP POLICY

Backups are stored offsite and are encrypted. Athlete Foundry performs regular backups of the entire system (weekly).




PII AND COOKIES

Information about what we collect is outlined in our privacy policy at: https://www.athletefoundry.com/privacy

Cookies are required for normal operation of Athlete Foundry; however, no PII is stored in any of the cookies that Athlete Foundry uses.




CHANGES

We may update this policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal, or regulatory reasons.




CONTACT US

For more information about our security practices, if you have questions, or if you would like to make a complaint, please contact us by email at contact@athletefoundry.com.





As the Chief Executive Officer, I am duty bound to lead with high moral, ethical, and governance standards. While I hold my team accountable for their actions, ultimate corporate accountability rests with me. I review and approve all public and customer facing commitments, including this Security Statement.



KC Chhipwadia

CEO & Founder