Security you can trust
UnderDraft is built with security as a core principle — not an afterthought. Here's exactly how we protect your data, your leagues, and your players.
Core principles
Security at every layer
Encryption
All data is encrypted in transit via TLS 1.3 and at rest using AES-256.
Access control
Row-level security ensures users only access data they are permitted to see.
Privacy first
We never sell your data. Player information is never shared with third parties.
Resilience
Automated backups, geographic redundancy, and uptime monitoring around the clock.
Infrastructure
Built on enterprise-grade foundations
We host on Supabase and Fly.io — platforms purpose-built for high availability, data integrity, and industry-standard compliance. We don't run our own database servers; we let the experts do it.
TLS 1.3 in transit
All traffic between your device and our servers is encrypted using modern TLS.
AES-256 at rest
Database storage is encrypted at rest using AES-256 across all environments.
Automated backups
Point-in-time recovery enabled. Daily backups retained for 30 days.
Geographic redundancy
Data replicated across multiple availability zones to prevent loss.
Uptime monitoring
24/7 automated health checks with alerting for any degradation.
Data protection
Your data stays yours
We never sell player data. League data is isolated per organisation using row-level security. You own your data and can export or delete it at any time.
Row-level security (RLS)
Database policies enforce that each query returns only the rows the authenticated user owns or has been granted access to.
No third-party data sales
We do not sell, rent, or monetise player or league data in any form.
Data portability
Export your league data at any time from the organiser dashboard.
Right to deletion
Account and associated data can be permanently deleted on request within 30 days.
Minimal data collection
We only collect what is necessary to run your league. Nothing more.
Authentication
Access control that means it
Role-based permissions enforced at the database level — not just in the UI. Even if a request bypasses the app, the data won't be returned.
Role-based permissions
Player, captain, organiser, and referee roles each have precisely scoped database permissions enforced at query time.
JWT authentication
Short-lived signed tokens are issued per session and validated server-side on every request.
OAuth providers
Sign in with Google or Apple — no password stored on our servers when using social sign-in.
Session management
Active sessions can be reviewed and revoked individually from your account settings.
League data isolation
Each league's data is isolated at the row level — organiser of League A cannot query League B's data.
Audit trail
Sensitive actions (roster changes, score edits) are logged with a timestamp and actor identity.
Responsible disclosure
Found a vulnerability?
We take security reports seriously. If you discover a potential security issue in UnderDraft, we ask that you report it to us privately so we can address it before it's disclosed publicly. We commit to responding within 72 hours and keeping you updated on our progress.
Report privately
Email security@underdraft.app with details of the issue.
We investigate
Our team responds within 72 hours and begins investigation.
Fix & credit
We patch the issue and credit you in our security changelog.
Report a security issue
Email our security team directly. Please include steps to reproduce, potential impact, and any proof-of-concept.
security@underdraft.appFAQ
Common security questions
Questions about our security practices?
Our team is happy to answer detailed questions for organisations evaluating UnderDraft.