Security at ClubPal

Infrastructure and Hosting

ClubPal is hosted on Microsoft Azure in the North Europe (Dublin) datacentre. By hosting on Azure, ClubPal benefits from enterprise-grade infrastructure security including physical security, network controls, and compliance certifications including ISO 27001 and SOC 2.

All data in transit is encrypted using TLS 1.3. All connections to ClubPal are served over HTTPS; unencrypted connections are rejected.

Database Security

ClubPal uses Microsoft Azure Cosmos DB as its primary database. Data is encrypted at rest using AES-256 encryption managed by Azure. The database is not accessible from the public internet.

Each club's data is logically isolated using partition keys, ensuring that data belonging to one club cannot be accessed by another. Access is restricted to ClubPal application services through Azure managed identity — no static credentials are used.

Card Payments

ClubPal does not store card or payment details. Payments are processed via Stripe Connect and Square — both PCI DSS and Strong Customer Authentication (SCA) compliant. Payment details entered by members are sent directly to the payment processor and are never handled or stored by ClubPal.

Apple Pay and Google Pay are also supported via Stripe, providing members with fast, secure checkout options.

Backups and Recovery

Continuous backup is enabled on ClubPal's database, providing point-in-time restore capability with a 30-day retention window. In the event of data loss or corruption, data can be restored to any point within the preceding 30 days.

Access Control

Access to ClubPal production systems is restricted to authorised personnel only. All production access requires multi-factor authentication (MFA), and access is granted on a least-privilege basis with permissions scoped to what is required for each role.

Access rights are reviewed regularly and revoked promptly when no longer required.

Incident Response and Monitoring

ClubPal operates continuous monitoring and alerting across its infrastructure and application services. In the event of a confirmed security incident or personal data breach, ClubPal will notify affected customers within 24 hours and provide the information needed to meet UK GDPR obligations.

Our incident response process is consistent with ClubPal's obligations as a Data Processor under our Data Processing Agreement.

Vulnerability Management

ClubPal conducts regular penetration testing of its platform and infrastructure by qualified third-party security professionals. Findings are reviewed and remediated in order of severity.

Ongoing practices include regular dependency updates with automated vulnerability alerts, secure development and code review processes, and continuous monitoring for anomalous behaviour.

Email Security

All outbound email from ClubPal domains is protected by SPF, DKIM, and DMARC — industry standards that prevent spoofing and protect clubs and members from phishing attempts. These records are actively monitored.