Skip to main content

Athletify Security Overview

This document outlines Athletify’s comprehensive security framework, detailing how the platform safeguards customer data through secure cloud hosting, data encryption, strict access controls, and logical isolation.

Written by Team Athletify

Athletify Security Overview

Athletify is designed to protect customer data through secure cloud infrastructure, encrypted communications, controlled access, and application-level authorization.

Cloud Hosting And Physical Security

Athletify is hosted on Google Cloud Platform. Our application runs on Kubernetes, and production data is currently hosted in Google’s Iowa region using Google Cloud SQL.

Because Athletify runs on GCP, the underlying physical security of servers, storage, and data center facilities is managed by Google. Google’s data centers use layered physical protections, including controlled facility access, monitoring, and operational safeguards designed to prevent unauthorized physical access to infrastructure.


Encryption

Athletify encrypts data in transit and at rest.

All customer traffic to Athletify is protected with TLS, and we require TLS 1.2 or newer. Data stored in Google Cloud SQL is encrypted at rest using Google-managed encryption keys. Google Cloud also encrypts data across its managed infrastructure, helping ensure customer information remains protected throughout storage and transport.

Login And Access Protection

Athletify protects accounts and customer data with multiple layers of access control:

  • Users must authenticate before accessing protected application data.

  • Passwords are not stored in plaintext.

  • Login attempts are recorded, including success or failure and IP address, to support auditing and investigation.

  • Web sessions use signed, HTTP-only cookies with secure production settings.

  • API requests use signed authentication tokens.

  • Password resets require a valid reset token before a password can be changed.

  • Google OAuth login is supported for users who authenticate through Google.

  • Access to data is scoped by organization, so users only access data associated with the organizations and permissions assigned to them.

Authorization And Data Isolation

Athletify enforces authorization checks throughout the application. Users are associated with organizations and roles, and application requests are scoped to the user’s active organization. This helps prevent one customer’s users from accessing another customer’s data.

Backups And Recovery

Athletify uses managed database backups through Google Cloud SQL to support recovery from accidental data loss or infrastructure failures. Backup access is restricted to authorized operational personnel.

Monitoring And Auditability

Athletify records authentication events, including successful and failed login attempts, to support security monitoring, troubleshooting, and investigation. System logs are used to identify abnormal behavior and support operational response.

Least-Privilege Access

Access to production systems is limited to authorized Athletify personnel with a business need. Administrative access is restricted and reviewed as part of normal operational security practices.

Data Segregation

Customer data is logically separated by organization. Application queries and mutations are scoped to the authenticated user’s organization and permissions.

Please contact us at support@athletify.com if you have any questions.

Did this answer your question?