Security & Privacy

Security & Privacy at ClubOS

At ClubOS, security isn't a badge β€” it's a responsibility. We're a Canadian-built platform designed to protect club autonomy, member data, and financial transparency.

Below is a clear explanation of how we secure and handle information.

TLS 1.2+

Encryption in Transit

SOC 2

Aligned Controls

PCI DSS

Stripe Payments

PIPEDA

Privacy Aligned

πŸ‡¨πŸ‡¦ Privacy by Design

PIPEDA-Aligned Privacy

ClubOS is designed to align with the principles of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). We follow core privacy principles to protect every club and member.

  • We collect only what is necessary
  • We clearly state why we collect data
  • Clubs own their data
  • Members can access, correct, or delete their information
  • Data is not sold or shared for advertising

Privacy Officer

Reach out anytime

privacy@clubos.ca

Questions about how we handle your data? Our Privacy Officer is here to help.

πŸ›‘ Security Framework

Security Standards & Posture

While ClubOS is not yet SOC 2 certified, we operate using SOCΒ 2–aligned controls and industry security best practices.

SOC 2 Readiness Review

Controls aligned with SOC 2 Trust Service Criteria (Security & Confidentiality).

OWASP Top 10 Mitigation

Designed to mitigate the most critical web application security risks.

CIS Benchmark Configuration

Cloud infrastructure configured according to Center for Internet Security recommendations.

Independent Architecture Review

Security architecture reviewed by independent professionals.

We are actively working toward formal third-party security certification as we scale.

πŸ”’ How We Secure Data

Multi-Layer Protection

From encryption to access control, every layer of ClubOS is engineered to keep your data safe.

01

Encryption

  • All data in transit encrypted using HTTPS (TLS 1.2+)
  • Sensitive data at rest encrypted at the database level
  • Access credentials are hashed and never stored in plain text
02

Role-Based Access Control

Access inside ClubOS is strictly permission-based. Clubs control:

  • Who can view financial summaries
  • Who can manage members
  • Who can access executive-only information

Staff access: ClubOS staff do not have routine access to club data. Administrative access is restricted and logged.

03

Payment Security

ClubOS does not store or process credit card or banking information. All payments are handled securely by Stripe, a PCI DSS-compliant payment processor.

Transaction IDs

Payment Status

Summary Totals

We never see card numbers or banking credentials.

04

Data Ownership

Clubs retain full ownership of their data. At any time, clubs can:

  • Export their data
  • Delete their club account
  • Request complete data removal

We do not retain deleted club data beyond operational requirements.

05

Data Residency

  • Infrastructure hosted with reputable cloud providers with strong security controls
  • Primary data processing follows Canadian privacy principles
  • Transparent about hosting regions upon request
🚨 Incident Response

Prepared for the Unexpected

In the unlikely event of a security incident, we follow a structured response protocol:

1

Containment

Immediate containment and investigation

2

Review

Internal review and remediation

3

Notification

Notification to affected clubs within 72 hours (if required)

4

Follow-up

Transparent follow-up and corrective action

Logging & Monitoring

We maintain an internal incident response protocol and comprehensive logging system. All administrative actions are audited to ensure accountability and rapid response.

πŸ” Independent Oversight

Verified & Reviewed

ClubOS has completed multiple independent reviews to ensure our security posture meets industry standards.

SOC 2 readiness alignment review

Independent security architecture review

Cloud configuration hardening (CIS)

OWASP Top 10 risk mitigation

We plan to pursue formal third-party certification as we grow.

πŸ“¬ Responsible Disclosure

Found a Security Issue?

We welcome responsible disclosure and will investigate all reports promptly. If you discover a security issue, please contact us.

security@clubos.ca
🧾 Transparency Commitment

Trust Earned Through Clarity

We believe trust is earned through clarity, not just promised.

We do not sell data

We do not monetize member information

We do not share club data with third parties for advertising

We do not access club messages without authorization or legal requirement

ClubOS exists to support clubs β€” not exploit them.

Our Commitment

Security Is a Continuous Process

We're constantly improving our security posture and evolving our practices as the threat landscape changes.

Regular Audits

We conduct regular internal security reviews and pursue independent third-party assessments.

Continuous Monitoring

Our systems are monitored around the clock for unusual activity and potential threats.

Security-First Culture

Security awareness is embedded in our engineering practices and organizational culture.

Questions About Security?

We're happy to answer questions about our security practices, data handling, or anything else. Your trust matters to us.

security@clubos.caprivacy@clubos.ca