Apex Track handles performance metrics and, in many clubs, injury and medical notes. We take that responsibility seriously. This page explains our approach in plain language. It is not a contractual SLA unless separately agreed in writing.
Club data isolation
Apex Track uses a shared PostgreSQL database with Row Level Security (RLS) policies tied to each user's club (team_id). Every query from the application is scoped so staff only see athletes, injuries, and records belonging to their organisation — unless they hold a platform superadmin role.
This is logical isolationenforced at the database layer, not separate physical databases per club. It is a proven pattern on Supabase/PostgreSQL, but like all software it depends on correct policy design, testing, and secure application code. We do not claim "military-grade" or "zero-risk" isolation. Clubs with exceptional regulatory needs should discuss custom arrangements with us.
Encryption & access control
- In transit: All web traffic uses HTTPS (TLS).
- At rest: Database and storage encryption is provided by our cloud host (Supabase).
- Authentication: Supabase Auth with JWT sessions; passwords hashed by the auth provider.
- Authorisation: Role-based access (superadmin, admin, coach, analyst) plus RLS on tenant tables.
- Staff accounts: Password changes for staff are managed by club administrators to reduce credential sprawl.
GDPR & UK data protection
We support clubs operating under UK GDPR and EU GDPR by:
- Hosting primary infrastructure in EU West (London) where configured.
- Providing a Privacy Policy describing processing, sub-processors, and individual rights.
- Acting as a processor for athlete data entered by clubs (who act as controllers).
- Responding to data subject requests via privacy@apextrack.app and coordinating with club admins.
We do not replace your club's obligation to maintain lawful bases, privacy notices to players, or Data Processing Agreements where required. Enterprise clubs may request a DPA template by email.
Backups & recovery
Database backups are managed by Supabase as part of hosted PostgreSQL. Backup frequency and point-in-time recovery depend on the Supabase project plan. We recommend clubs export critical reports periodically. In a disaster scenario, recovery timelines depend on provider status and the nature of the incident — we do not guarantee a specific RPO/RTO on standard plans.
Uptime & monitoring
The application is deployed on Vercel; the database on Supabase. We monitor for errors and aim to restore service quickly after outages. We do not currently publish a public status page or financially backed uptime SLA for all customers. Planned maintenance will be communicated when practicable.
Security reviews & audits
Our underlying infrastructure providers (e.g. Supabase, Vercel) maintain their own security certifications and audits. Apex Track as an application has not completed an independent SOC 2 or ISO 27001 certification at this time. We follow secure development practices, review access to production systems, and prioritise fixes for reported vulnerabilities.
Incident response
If you suspect unauthorised access to your club account or a data breach, contact privacy@apextrack.appimmediately with "Security incident" in the subject line. We will investigate, contain, and notify affected controllers where legally required.
Your role as a club
- Use strong, unique passwords and remove access for departing staff promptly.
- Only enter health data you are authorised to store.
- Review role assignments regularly.
- Report suspected issues without delay.