Built for clubs that handle
real money and real member data.
SyncReserve runs reservations, payments, memberships, and member messaging. Security is part of how the platform is built and operated — not an afterthought.
The frameworks behind the platform.
Inherited from the infrastructure, database, and payment providers SyncReserve runs on. Hand this list to your IT team or insurer.
SOC 2 Type II
Security and availability controls inherited from the infrastructure and database tiers.
ISO 27001
Information security management certification on the hosting platform.
PCI DSS v4.0
Payment infrastructure compliance, with card data scoped to Stripe.
HIPAA
Available for clubs that need a BAA with health-adjacent data.
GDPR
Export and deletion flows, EU data protection alignment.
Controls clubs can actually defend.
Seven layers of defense — from edge to database to payouts — running on infrastructure that meets the bar your insurer and IT team expect.
Infrastructure & hosting
- Hosted on enterprise cloud infrastructure with SOC 2 Type II, ISO 27001, PCI DSS v4.0, and HIPAA attestations.
- Underlying infrastructure runs on AWS, which holds SOC 2 Type II, ISO 9001, GDPR, HIPAA, and FedRAMP certifications.
- Global edge network with automatic TLS and HTTPS-only delivery.
- L3/L4 DDoS mitigation included by default at every edge location.
- Web Application Firewall with managed rulesets covering the OWASP Top 10.
- Bot detection and abuse protection at the edge.
Data protection
- All customer data — databases, file storage, search indexes — encrypted at rest with 256-bit AES.
- Data encrypted in transit with TLS for external traffic and TLS/SSH for internal traffic.
- Each tenant database is isolated with unique, randomly generated credentials.
- Automated platform backups on a 2-hour interval with 30-day retention.
- Secrets stored in encrypted environment configuration, never committed to source.
Payments
- All card data is processed and stored by Stripe, a PCI DSS Level 1 Service Provider.
- SyncReserve never sees raw card numbers, CVCs, or full bank credentials.
- Stripe webhook payloads are signature-verified before being trusted.
- Refunds, disputes, and payout reconciliation are logged with an audit trail.
Application security
- JWT-based authentication for admins, OTP-based authentication for guests.
- Per-route rate limiting on sign-in, OTP, booking, and message-send endpoints.
- Schema-based input validation on every server entrypoint.
- Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers in production.
- Twilio messaging gated by opt-in state, quiet hours, and per-tenant E2E test guards to prevent accidental sends.
Access control
- Four-tier admin RBAC — Owner, Manager, Staff, Coach — each scoped to a single tenant.
- Cross-tenant access is impossible by construction: tenant ID is enforced server-side on every read and write.
- Database access goes through scoped server functions only — no direct database connections exposed to clients or third parties.
- Multi-factor authentication required for all internal platform access.
- Sensitive admin actions are logged with actor, timestamp, and target.
- Stripe Connect accounts are per-tenant; payouts cannot be redirected across clubs.
Vulnerability management
- Continuous automated vulnerability scanning and intrusion detection on platform infrastructure.
- Third-party penetration tests conducted at least annually.
- Daily code review and static analysis on the application stack.
- Dependency scanning on every change.
Privacy & member data
- GDPR-aligned data export and deletion flows for guest accounts.
- Member messaging respects opt-in, opt-out, and quiet-hour rules.
- No selling of member data.
- Sub-processors limited to infrastructure, payments, and messaging providers required to run the product.
Found a vulnerability? Tell us.
Reach out through the contact page and flag your message as a security report. We respond within two business days for in-scope reports and credit researchers who follow coordinated disclosure.
No public bug bounty program yet — but in-scope reports are taken seriously and handled by the team that builds the platform.
Walk through it with the team building it.
Architecture, sub-processors, data processing terms, incident process — happy to cover all of it with your IT, security, or compliance lead before you commit.
- Direct conversation with the engineers who own the platform
- Honest answers on what is built in vs. inherited
- Sub-processor list available on request