Security Policy

Last updated: 11/18/2025

At RaceLog, we take the security of your data seriously. This policy outlines our security practices and your role in keeping your account secure.

1. Our Security Commitment

We are committed to protecting your personal information and athletic data through industry-leading security practices. Our security program is designed to protect the confidentiality, integrity, and availability of your data.

2. Infrastructure Security

Cloud Security

  • • AWS enterprise-grade infrastructure
  • • SOC 2 Type II compliance
  • • Multi-region data replication
  • • Regular security audits

Data Protection

  • • AES-256 encryption at rest
  • • TLS 1.3 encryption in transit
  • • Encrypted database backups
  • • Secure key management

3. Authentication & Access Control

Authentication Security

  • Powered by Clerk, a leading authentication platform
  • Multi-factor authentication (MFA) support
  • Secure session management with automatic timeouts
  • Password strength requirements and breach monitoring
  • OAuth integration with trusted providers

Access Controls

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews and audits
  • Automated account lockout for suspicious activity

4. Application Security

Development Practices

  • Secure coding standards and practices
  • Regular dependency updates and vulnerability scanning
  • Automated security testing in CI/CD pipeline
  • Code reviews with security focus
  • OWASP Top 10 compliance

Runtime Security

  • Web Application Firewall (WAF) protection
  • DDoS protection and rate limiting
  • Real-time monitoring and alerting
  • Intrusion detection systems

5. Data Handling & Privacy

Data Minimization

We collect only the data necessary to provide our services and enhance your experience. Personal data is segregated and access is strictly controlled.

Data Retention

  • Clear data retention policies
  • Automatic deletion of expired data
  • Secure data disposal procedures
  • User-controlled data deletion

6. Monitoring & Incident Response

Continuous Monitoring

  • 24/7 security monitoring and alerting
  • Automated threat detection
  • Regular security assessments
  • Log analysis and retention

Incident Response

  • Dedicated incident response team
  • Documented response procedures
  • User notification protocols
  • Regular incident response drills

7. Your Security Responsibilities

Security is a shared responsibility. Your actions play a crucial role in keeping your account secure.

Account Security Best Practices

  • Use a strong, unique password for your account
  • Enable multi-factor authentication (MFA) when available
  • Keep your email account secure
  • Log out from shared or public devices
  • Review account activity regularly
  • Report suspicious activity immediately

What to Avoid

  • Don't share your account credentials
  • Don't access your account on untrusted networks
  • Don't click on suspicious links in emails
  • Don't use public computers for sensitive activities

8. Third-Party Security

We carefully vet all third-party services and ensure they meet our security standards:

ServicePurposeSecurity Features
ClerkAuthenticationSOC 2, MFA, Session Management
AWSInfrastructureSOC 2, ISO 27001, Encryption
PostHogAnalyticsGDPR Compliant, Data Anonymization

9. Compliance & Certifications

  • General Data Protection Regulation (GDPR) compliance
  • California Consumer Privacy Act (CCPA) compliance
  • SOC 2 Type II compliance (through AWS)
  • Regular security assessments and penetration testing

10. Reporting Security Issues

Found a security vulnerability?

We take security reports seriously and appreciate your help in keeping RaceLog secure.

How to Report

  • Email us at security@racelog.app
  • Include detailed steps to reproduce the issue
  • Provide screenshots or proof-of-concept if applicable
  • Allow us reasonable time to investigate and respond

Security Contact: security@racelog.app
Response Time: We aim to respond within 24 hours
GPG Key: Available upon request

11. Security Updates

This Security Policy is reviewed and updated regularly to reflect our current security practices and address emerging threats. Significant changes will be communicated to users through our normal notification channels.