Security

Exercise Manager is built with security as a first-class concern at every layer — from how participants sign in, through how scenario content is stored, to how the application is hosted and monitored. The summary below covers the controls we have in place today. If you need additional detail for an IT or procurement review, contact us.

Our Approach

Exercise Manager is designed with security at its core. We apply a defence-in-depth approach across every layer of the application — from authentication and access controls to data encryption and infrastructure monitoring. Our practices are aligned with industry-recognised standards such as ISO 27001 and SOC 2.

Encryption in Transit and at Rest

All data transmitted between users and our servers is encrypted using HTTPS with TLS 1.2 or higher. Our database and automated backups are encrypted at rest using AES-256 encryption. This protects your data whether it is being transmitted or stored.

Infrastructure and Hosting

Exercise Manager is hosted on Render, a secure, cloud-native platform. TLS certificates are automatically provisioned and renewed. Render provides built-in support for automatic scaling, access control, and daily backups, and operates from data centres certified to SOC 2 Type II and ISO 27001.

Authentication and Access Control

We use modern authentication mechanisms, including strong password hashing with bcrypt and short-lived, server-side session management. Exercise Manager supports passkeys (WebAuthn) for phishing-resistant sign-in, so users can choose to authenticate with a fingerprint, face, or hardware key rather than a password. Access within the application is role-based — every action is checked against the user's account role and any exercise-specific role they hold. Administrative actions are logged and monitored.

Account Protection

Sign-in attempts are throttled and accounts are temporarily locked after repeated failures to limit brute-force and credential-stuffing attacks. Password reset and invitation tokens are single-use, hashed at rest, and expire after a short window. All authentication-related state changes are logged.

Payment Security

Card payments for marketplace purchases are processed entirely by Stripe — a PCI-DSS Level 1 certified provider. We never see, store, or transmit raw card details. Webhook events from Stripe are signature-verified to prevent forgery, and licence creation is idempotent so a duplicated event cannot result in a duplicate charge or grant.

Backups and Disaster Recovery

Databases are automatically backed up daily and retained according to Render's standard policy. In the event of an incident, these backups can be used to restore service. All backups are encrypted and stored securely.

DDoS and Threat Protection

We employ multiple layers of protection against denial of service and automated abuse. These include rate limiting on every endpoint, stricter throttles on authentication routes, geographic IP filtering, and platform-level mitigations provided by our hosting provider's edge network.

Monitoring and Incident Response

We maintain continuous monitoring of our application and infrastructure, with automated alerts for abnormal activity and critical security events. Suspicious access attempts, failed logins, and exploit probes are logged and reviewed. Security events trigger real-time email alerts to the system administrator, and every error includes a reference identifier so incidents can be traced through the logs.

Vulnerability Management

Our codebase is continuously monitored for known vulnerabilities in third-party dependencies. Critical patches are applied within 48 hours. We combine automated tools with manual review to enforce secure coding practices, including standard protections against cross-site scripting, cross-site request forgery, SQL injection, clickjacking, and insecure direct object references.

Compliance and Best Practices

Our security practices are aligned with international standards including ISO 27001 and SOC 2. We regularly review our controls and update our policies to reflect evolving security and compliance requirements. Customer data is never used for advertising or analytics, and is never sold or shared with third parties for marketing.

Data Privacy and Retention

Customers own their data and can export or request its deletion at any time. Trial data is deleted 30 days after trial expiry if no subscription is started. For paid accounts, all data is deleted 30 days after cancellation unless otherwise agreed. Soft-deleted records are anonymised immediately and hard-deleted at the end of the retention window.

Email Security

Transactional email — invitations, password resets, security alerts — is sent through Postmark, which signs outbound messages with DKIM and authenticates the sending domain via SPF and DMARC. This significantly reduces the risk of spoofed messages reaching your inbox.