Data Security

Last Updated: April 15, 2026

At LeagueIntel, protecting your data is foundational to how we build and operate the platform. This page describes the security measures we employ. If you have questions or want to report a vulnerability, contact support@leagueintel.app.

Encryption

In Transit

All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and use HSTS (HTTP Strict Transport Security) with a max-age of 2 years, including subdomains.

At Rest

All databases and file storage are encrypted at rest using AES-256 encryption. Database backups are also encrypted. Encryption keys are managed through our cloud provider’s key management service (KMS) and rotated regularly.

SMS Messages

SMS content is transmitted through Twilio’s infrastructure, which encrypts messages in transit and at rest. We retain SMS content for 90 days for delivery confirmation, then permanently delete it.

Authentication and Access Control

  • Password hashing: All passwords are hashed using bcrypt with a minimum work factor of 12 rounds. We never store plaintext passwords.
  • Phone-based authentication: Our primary auth flow uses SMS-based OTP (one-time password) verification, eliminating password reuse risks for players.
  • Session management: JWT tokens with short-lived access tokens (15 minutes) and longer-lived refresh tokens (30 days). Refresh tokens are rotated on each use.
  • Role-based access control: The Service enforces role-based permissions (captain, co-captain, player) at both the API and database levels. Players cannot access data outside their teams.
  • Rate limiting: Login attempts, OTP requests, and API calls are rate-limited to prevent brute force attacks.

Infrastructure

  • Cloud hosting: Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification.
  • Network isolation: Database servers are isolated in private subnets with no direct internet access. Application servers communicate through internal VPCs.
  • Automated patching: Operating systems and dependencies are patched regularly. Critical security patches are applied within 24 hours of disclosure.
  • Monitoring: 24/7 infrastructure monitoring with alerting for anomalous activity, failed login attempts, and API errors.
  • Backups: Automated daily database backups with point-in-time recovery. Backups are encrypted and stored in a separate geographic region.

Application Security

  • Input validation: All user input is validated and sanitized server-side. We use parameterized queries (via Prisma ORM) to prevent SQL injection.
  • Content Security Policy: Strict CSP headers prevent cross-site scripting (XSS) attacks.
  • CSRF protection: Cross-site request forgery protection on all state-changing operations.
  • Dependency scanning: Automated vulnerability scanning of all npm and system dependencies in our CI/CD pipeline.
  • Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers are set on all responses.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Credit card numbers are never transmitted to or stored on our servers. We only receive and store tokenized payment references, last four digits, and card type for display purposes.

Incident Response

We maintain a security incident response plan that includes:

  • Documented escalation procedures and response team contacts.
  • Containment and investigation protocols.
  • Notification of affected users within 72 hours of discovering a confirmed breach, or sooner as required by applicable law (including California’s data breach notification law, Cal. Civ. Code § 1798.82).
  • Post-incident review and remediation.

Employee Access

  • Access to production data is restricted to authorized personnel on a need-to-know basis.
  • All production access is logged and audited.
  • Employees with production access undergo background checks.
  • Access is revoked immediately upon employee departure.

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly to support@leagueintel.app with “Security Vulnerability” in the subject line. We ask that you give us reasonable time to investigate and remediate before public disclosure. We do not pursue legal action against good-faith security researchers.

Compliance

Our security practices are designed to comply with the California Consumer Privacy Act (CCPA/CPRA)’s requirement for “reasonable security procedures and practices” (Cal. Civ. Code § 1798.150). We regularly review and update our security measures against evolving threats and industry best practices.