Security & Trust
Last updated: May 2026
Our Commitment to Security
At RisingMVP, we take the security and privacy of youth athletes, parents, coaches, and organizations seriously. This page outlines how we protect your data and maintain trust across our platform.
Data Protection
Encryption
- All data is encrypted in transit using TLS 1.3 (HTTPS)
- Data at rest is encrypted using AES-256 encryption
- Database credentials and API keys are stored securely and never exposed to client applications
Infrastructure
- Hosted on Supabase, built on Amazon Web Services (AWS)
- Database servers located in the United States
- Supabase maintains SOC 2 Type II compliance
- Automatic backups with point-in-time recovery
Payment Security
- All payments are processed by Stripe, a PCI DSS Level 1 certified payment processor
- RisingMVP never stores, processes, or has access to full credit card numbers
- Stripe Connect is used for marketplace payments to coaches and organizations
- All financial transactions are encrypted end-to-end
Privacy & Minors
COPPA Compliance (Children's Online Privacy Protection Act)
- Athletes under 13 require verifiable parental consent before their profiles are created
- Parents have full control over their children's data, including the ability to view, edit, and delete profiles
- Athlete profiles are hidden from recruiters by default — parents must explicitly opt in to make profiles visible
- We do not knowingly collect personal information from children without parental consent
FERPA Awareness (Family Educational Rights and Privacy Act)
- For schools and educational institutions using our platform, we handle student-related data with care
- Enterprise agreements include data handling provisions aligned with FERPA requirements
- Student education records are only accessible to authorized personnel within the organization
- Schools retain ownership of their student data at all times
CCPA/CPRA Rights (California Consumer Privacy Act)
- California residents have the right to know what personal information we collect and how it is used
- You may request deletion of your personal information at any time
- You may opt out of the sale of personal information — RisingMVP does not sell personal data
- To exercise your rights, contact us at support@risingmvp.com
AI Usage & Transparency
- RisingMVP uses AI-powered image generation (Google Gemini) for creating athlete media templates
- AI-generated images are used solely for visual enhancement and are clearly distinguishable from uploaded photos
- We do not use your personal data, photos, or athlete information to train AI models
- AI features are optional and controlled by the user
Access Controls
Role-Based Security
- Four distinct user roles with separate permissions: Parent, Coach, Recruiter, and Enterprise
- Row-level security (RLS) enforced at the database level on all tables
- Parents can only see their own athletes and teammates
- Coaches can only access athletes on their assigned teams
- Recruiters can only view athletes whose parents have opted into visibility
- Enterprise administrators can only access data within their organization
Authentication
- Secure authentication via Supabase Auth with email/password and social login options
- Session tokens are encrypted and expire automatically
- Admin actions are logged with a complete audit trail
Third-Party Services
We use trusted third-party services to operate our platform. Each service is selected for its security standards:
| Service | Purpose | Compliance |
|---------|---------|------------|
| Supabase | Database & Authentication | SOC 2 Type II |
| Stripe | Payment Processing | PCI DSS Level 1 |
| Amazon Web Services | Cloud Infrastructure | SOC 2, ISO 27001 |
| Resend | Transactional Email | SOC 2 |
| OneSignal | Push Notifications | SOC 2 |
| Google Cloud (Gemini) | AI Image Generation | SOC 2, ISO 27001 |
Data Retention & Deletion
- User accounts can be deleted at any time through the app settings
- Upon account deletion, personal data is removed from our systems
- Some data may be retained as required by law (e.g., financial transaction records for tax compliance)
- Inactive accounts are not automatically deleted — we respect that users may return
Incident Response
- We monitor our systems for security incidents 24/7
- In the event of a data breach, affected users will be notified within 72 hours
- We maintain an incident response plan that includes containment, investigation, and remediation procedures
Reporting Security Issues
If you discover a security vulnerability or have concerns about data protection, please contact us immediately:
- Email: security@risingmvp.com
- Response time: We aim to acknowledge all reports within 24 hours
Questions?
For general privacy questions, contact us at support@risingmvp.com
For enterprise security reviews or compliance documentation requests, contact us at enterprise@risingmvp.com