Security

Security is foundational to how Game ON is built and operated. Our platform handles personal profiles, session data, location information, video highlights, and payment details — and we take seriously our obligation to protect all of it.

This page describes our technical and organizational security controls. We update it as our security posture evolves.

Game ON is hosted on Vercel, a globally distributed edge platform with data centers across North America, Europe, and Asia-Pacific. Our primary database and authentication services run on Supabase, which is built on AWS infrastructure.

Key infrastructure controls include:

• All compute and storage runs within logically isolated environments
• Network-level firewalls restrict inbound and outbound traffic to necessary ports and services only
• Production environments are separated from development and staging environments
• Infrastructure is deployed via automated CI/CD pipelines with code review requirements on all changes
• Automatic DDoS mitigation and edge-level rate limiting via Vercel's global network
• Database instances are never directly exposed to the public internet — all access routes through authenticated API layers

User Authentication

• Passwords are never stored in plaintext — they are hashed using bcrypt with a per-user salt via Supabase Auth
• Session tokens are short-lived JWTs with automatic refresh; tokens are invalidated on logout
• OAuth 2.0 is supported for third-party sign-in (Google, Apple) — Game ON never receives your OAuth provider password
• Email verification is required for all new accounts
• Password reset flows use time-limited, single-use tokens delivered to verified email addresses

Internal Access Controls

• All Game ON team members access production systems through role-based access control (RBAC) — least-privilege by default
• Administrative access requires multi-factor authentication (MFA)
• Access to production databases is restricted to named individuals with a documented business need
• All privileged access is logged and retained for audit purposes
• Employee access is reviewed quarterly and revoked immediately upon offboarding

Row-Level Security (RLS)

Game ON's database enforces row-level security policies at the database layer via Supabase RLS. This means that even if an API endpoint were misconfigured, the database itself enforces that users can only read and write data they are authorized to access.

Our engineering practices are designed to prevent common vulnerabilities:

Game ON uses Stripe for all payment processing. Stripe is a PCI DSS Level 1 certified payment processor — the highest level of certification available in the payments industry.

Game ON never stores, processes, or transmits raw payment card data. When you enter payment information:

• Your card details are collected directly by Stripe's secure elements (rendered in an isolated iframe from Stripe's domain)
• Game ON only receives a tokenized reference (a Stripe payment method ID) — never the actual card number, CVV, or expiry
• This architecture means Game ON is out of scope for PCI DSS cardholder data environment requirements

Video highlights and uploaded media are processed and delivered through Mux, a professional video infrastructure provider.

• Video assets are stored in Mux's secure cloud infrastructure with access controlled at the asset level
• Private session highlights are accessible only to authorized users via signed, time-limited playback URLs
• Public highlights are served via Mux's CDN with access policies enforced at the origin
• Uploaded files are scanned and validated before processing — malformed or suspicious files are rejected
• Profile photos and other user-uploaded images are stored in Supabase Storage with per-user access controls

Continuous Monitoring

• Application errors and anomalies are monitored in real time
• Unusual access patterns, failed login spikes, and API abuse are automatically flagged
• Database query patterns are monitored for signs of injection attempts or unauthorized data access
• Uptime and availability are tracked with automated alerting on degradation

Incident Response

Game ON maintains a written incident response plan that includes:

• Clear roles and escalation paths for the on-call team
• Defined severity levels with target response times (critical incidents: < 1 hour)
• Procedures for containment, eradication, and recovery
• Post-incident review process to prevent recurrence
• User notification procedures within 72 hours for confirmed breaches affecting personal data

Game ON evaluates all third-party vendors that handle user data against security and compliance criteria before engagement. We maintain Data Processing Agreements (DPAs) with all vendors who process personal data on our behalf.

Our primary vendors and their relevant certifications:

Game ON's security program is aligned with the following frameworks and regulations:

• CCPA (California Consumer Privacy Act): We honor opt-out rights, deletion requests, and data access rights for California residents.
• COPPA (Children's Online Privacy Protection Act): Where minors use the platform with parental consent, we apply heightened data protections.
• GDPR (General Data Protection Regulation): For users in the European Economic Area, we comply with GDPR data subject rights including access, erasure, portability, and objection.
• US State Breach Notification Laws: We maintain notification procedures compliant with applicable state breach notification requirements.

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in Game ON, please report it to us privately before disclosing it publicly.

Please do not access, modify, or delete other users' data while investigating a vulnerability. Test only on accounts you own.