Security

This page summarises how ClubAxis protects data when we provide our platform to football and sports clubs. It is intended for club committees, safeguarding officers, and procurement. It does not replace our Privacy Policy or any agreement between your club and ClubAxis.

1. Roles and responsibilities

When a club uses ClubAxis, the club is typically the data controllerfor its members' and players' personal data. ClubAxis acts as a data processor on the club's instructions, providing hosting, software, and related services. Clubs remain responsible for their own lawful basis, member privacy notices, safeguarding processes, and parental consent where required.

For a list of third parties we use to deliver the service, see our Sub-processors page.

2. Encryption and transmission

In transit: Public access to the platform uses HTTPS (TLS 1.2 or higher). We use industry-standard TLS configuration and HTTP Strict Transport Security (HSTS) in production.
At rest: We apply technical measures to protect data stored on our systems, including provider-level encrypted storage for production database and uploaded files where deployed, and encrypted off-site backups. No method of storage is completely risk-free; we work to reduce risk in line with the nature of the data and the service.
Passwords: User passwords are stored using one-way hashing (bcrypt), not in plain text.

3. Access control and tenant isolation

Authenticated access uses secure tokens; administrative and member roles are separated.
Each club's data is logically separated in the platform (multi-tenant architecture with per-club isolation in the application layer).
Club administrators can manage permissions for their own users; system-wide administration is restricted to ClubAxis operators.
Production database access is not exposed to the public internet; access is limited to application servers on private or loopback network paths.

4. Hosting and location

Production infrastructure is hosted with reputable cloud providers. We aim to keep primary processing in the United Kingdom or European Economic Areawhere practicable. Some optional integrations (for example social media posting) may involve transfers outside the UK/EEA when a club chooses to connect them; those providers' own terms and safeguards apply.

5. Backups and availability

We take regular backups of production data to support recovery from failure or corruption. Backup retention is aligned with our Privacy Policy (typically up to 35 days for backup rotation). Backups are subject to the same security standards as production systems, including encryption before off-site storage where configured.

We do not guarantee uninterrupted service, but we work to maintain availability and to restore service after incidents in a reasonable timeframe.

6. Organisational measures

Multi-factor authentication on administrative and cloud provider accounts where supported.
Firewall and network hardening on production servers; routine security checks documented internally.
Restricted SSH and database access to a small number of named operators.
Dependency and security patching on a planned schedule.
Audit logging for sensitive administrative actions where implemented.

7. Children's data and safeguarding content

The platform may process personal data relating to children and young people, including registration details and, where enabled, welfare or safeguarding complaints. We design the product with privacy and access controls in mind, including module-level permissions and restricted access to sensitive areas. Clubs must operate their own safeguarding policies and lawful bases for processing; ClubAxis provides tools only and does not make safeguarding decisions on a club's behalf.

8. Incident response

If we become aware of a personal data breach affecting our systems, we will investigate promptly, take steps to contain and remediate the incident, and notify affected clubs without undue delay where required by law, so they can meet their own obligations (including notification to the ICO or data subjects where applicable).

To report a security concern, contact privacy@clubaxis.co.uk with the subject line "Security" and as much detail as you can provide.

9. What we do not do

We do not sell personal data to third parties.
We do not use member data for third-party advertising.
We do not access club member data for marketing purposes; access is limited to support, security, and operation of the service.

10. Related documents

A formal Data Processing Agreement (DPA) is available to club customers on request or as part of onboarding. Contact legal@clubaxis.co.uk.