Security is one of the biggest considerations in everything we do. If you have any questions after reading this or encounter any issues, please let us know.
SportLynx's software is secure by design. Security has been one of our core tenets from the beginning. During all phases of design and development, security concerns are carefully considered and incorporated into our solutions and services.
We start by building our entire ecosystem on one of the most secure cloud platforms in the world - Microsoft's Azure cloud. Azure is Microsoft's best-in-class cloud platform, used by major corporations and governments around the world. https://azure.microsoft.com/en-us/overview/security/
Next, we carefully select only the best partners for providing services that require special privacy handling. Stripe, our payment processing partner, has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
Why and How Your Data is Safe With Us
HTTPS for secure connections
SportLynx forces HTTPS for all services using TLS (SSL), including our public website, our main application, and all communications within our services and all of our partners.
SportLynx's own services connect to each other over TLS and verify TLS certificates on each connection.
We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We regularly review work factors for our encryption algorithms and update them as necessary.
Encryption of sensitive data and communication
All passwords are encrypted at rest with the Blowfish block cipher algorithm, salted and hashed with an appropriate work factor, and stored in a separate database from our application database. Social Security Numbers are encrypted at rest with AES-256. None of SportLynx’s internal servers or services are able to obtain plaintext passwords. Social Security Numbers are only ever obtained for filling out IRS form 1099. SportLynx’s infrastructure for storing, decrypting, and transmitting user data runs entirely on the Microsoft Azure platform, ensuring a very small attack surface area.
All data is encrypted in transit and at rest. In transit, all data is protected with SSL, and at rest, we utilize Microsoft Azure's transparent data encryption which encrypts our databases, backups, and logs at rest.
Process & Policy
Human mistakes are the number one cause of data breaches. SportLynx practices and enforces strict processes and policies in development, testing, and all aspects of data-handling and code writing to proactively prevent these types of human errors.
Our security-oriented practices and policies include, but are not limited to:
- Strict, limited access control to production data
- Strict production data handling
- A security-first software engineering approach
- Continuous testing and integration
- Strict segregation of production and dev/test environments
- Unique passwords for every service and configuration
- 2-factor authentication for all platform and service logins
- Adherence to the principle of least privilege in permissions and access granted to our engineers, testers, management, and services
- Regular security reviews
- Password rotation
We also enforce certain user behaviors that help protect their own data, such as password strength requirements and preventing users from using common passwords.