Last updated: 2026-05-30
Security at CoDi Tennis
This page summarises how CoDi Tennis protects the data you trust us with - yours, your kid’s, your coach’s. Detailed evidence (signed PCI attestation, policies, runbooks) is available on request to security@coaching.direct.
Operating entity
coaching.direct (operating as CoDi Tennis) is owned and operated by the company with ABN 66 674 590 839, registered in Australia.
The 30-second version
- Your card never touches us - Stripe handles payments end-to-end on their own infrastructure. We meet the lightest PCI certification tier (SAQ-A) and re-attest every year.
- Everything in transit is encrypted (HTTPS); everything we store is encrypted at the database level (AES-256, managed by Supabase).
- Admin accounts must use 2-factor authentication. All users can turn it on.
- Found a security bug? Email security@coaching.direct - we’ll acknowledge in 2 business days.
Payment-card data
CoDi Tennis is a PCI DSS SAQ-A merchant - the lightest of the nine PCI self-assessment types, available only to merchants who never store, process, or transmit cardholder data on their own systems.
We achieve SAQ-A scope by routing every card payment through Stripe-hosted Checkout + Stripe Elements. Your card number is typed into a Stripe-controlled iframe, encrypted in transit, and processed entirely on Stripe’s PCI-DSS-Level-1-validated infrastructure. CoDi Tennis receives a payment-method reference (e.g. pm_1AbCdE…) - not the card number.
- Last attested: 2026-05-27 (PCI DSS v4.0.1 SAQ-A, signed by the director of the operating entity, ABN 66 674 590 839).
- Next attestation: 2027-05-27 (annual cadence).
- Acquirer: Stripe Payments Australia Pty Ltd (ABN 30 600 250 121). Stripe’s PCI AOC at stripe.com/docs/security/stripe.
Data encryption
- In transit: all traffic to and from
coaching.directuses TLS 1.2 or higher (enforced by Vercel + Supabase + Stripe). HTTP-to-HTTPS redirect is automatic at the edge. - At rest: database storage (Supabase) and file storage (Supabase Storage) are encrypted with AES-256 at the provider level. Stripe encrypts everything they hold using their own key management. We do not roll our own encryption - we delegate to providers with audited key management.
Authentication
- Email + password for all users; password hashing managed by Supabase Auth (bcrypt with per-user salt).
- Two-factor authentication (TOTP) available to every user via
/profileand required for administrator accounts. - Provider-level MFA enforcement on every production console (Stripe Dashboard, Supabase Dashboard, Vercel, GitHub).
- Service-account credentials (Supabase service-role, Stripe secret key, Resend API key) live only in Vercel-encrypted env vars + the trustee’s password manager. Never in source code.
Access control
Database tables use Postgres Row-Level Security (RLS) with policies that gate every read and write by the authenticated user’s id and role. The schema has 70+ RLS policies covering every table that holds personal data. RLS is the primary defence against cross-tenant data leakage; the application layer adds defence in depth.
Incident response
We maintain a documented incident response plan covering: detect → contain → assess → notify → remediate → post-mortem. The plan addresses both the Australian Notifiable Data Breach scheme (Privacy Act 1988 Part IIIC) and PCI DSS Requirement 12.10. Report a suspected incident to security@coaching.direct or follow the disclosure policy at /.well-known/security.txt.
Subprocessors
The full list of third-party services that process CoDi Tennis data - including role, data categories, hosting location, and contractual safeguard - is published at /legal/subprocessors. Material changes get 30 days’ advance notice.
Vulnerability disclosure
We welcome security research. If you find something, email security@coaching.direct with steps to reproduce. We aim to acknowledge within 2 business days and to triage within 7. We don’t currently operate a paid bug-bounty programme but will publicly credit researchers (where they consent) on this page.
Compliance + governance roadmap
We hold the following compliance documents internally, refreshed on the cadences below:
- PCI DSS SAQ-A - annual self-attestation (current: 2026-05-27; next due 2027-05-27).
- Information Security Policy - annual review.
- Incident Response Plan - annual review + annual tabletop test.
- Service Provider List - quarterly review.
- Privacy Policy - at /legal/privacy; reviewed on every material change.
- DMCA + copyright takedown policy - at /legal/dmca; designated agent registered with the US Copyright Office.
Requesting evidence
Procurement teams, partners, and customers can request copies of the underlying signed documents (SAQ-A, InfoSec policy, IR plan, service-provider list) by emailing security@coaching.direct from a verified business address. We typically respond within 3 business days under a mutual non-disclosure agreement for the signed PCI attestation.
Questions
Email security@coaching.direct for security-specific questions. Privacy questions go to privacy@coaching.direct.