Built to be trusted.
We treat security as a product surface, not a checklist. Below are the controls in place today; we publish quarterly trust reports listing what changed.
Controls.
Identity + access
NextAuth-issued sessions, RS256-signed JWTs, RBAC across 13 roles. 2FA available; required for staff and white-label tenants.
Data at rest + in transit
TLS 1.3 enforced. Postgres + Mongo encrypted at rest. Backups encrypted with separate keys, restored quarterly to verify.
Payments
Card data is tokenised by Stripe / Paystack / Flutterwave — never stored on Sportsplex. Idempotency keys on every charge.
Operational
Audit log on every state change. Soft-deletes for GDPR. Quarterly penetration tests. Private bug bounty (HackerOne).
Compliance.
- GDPR + UK GDPR — controller obligations met; SCCs in place for sub-processor transfers.
- SOC 2 Type I — readiness audit passed Q2 2026; Type II certification in progress, target Q4 2026.
- PCI DSS — out of scope (we tokenise via processors).
- NDPR (Nigeria) — registered data controller; annual audit complete.
Responsible disclosure.
Found something? Email security@sportsplex.app with reproduction steps. PGP key on security.txt. We acknowledge within 24h, fix critical issues within 7 days, and credit researchers who want it.
Bounty range: $100 – $10,000 depending on severity, paid via Stripe or Paystack.
Need our compliance pack?
SIG-Lite, SOC 2 attestation, DPA — available under NDA for enterprise prospects.