Security Policy

Responsible Disclosure

We take the security of Chalk and our users' data seriously. If you believe you have found a security vulnerability in our product, please report it to us so we can address it promptly.

Email: security@chalksports.ai

Our machine-readable security disclosure file is at /.well-known/security.txt.

What to Include in a Report

• A description of the vulnerability and its potential impact
• Steps to reproduce (proof of concept if applicable)
• Any affected URLs, endpoints, or components
• Your contact information for follow-up

Our Commitments

• We will acknowledge receipt of your report within 3 business days.
• We will investigate and keep you informed of our progress.
• We will not take legal action against researchers who follow responsible disclosure guidelines.
• We will credit researchers (with permission) in security advisories for valid findings.

Scope

In scope:

• chalksports.ai and all subdomains
• Chalk iOS and Android PWA
• Chalk API endpoints

Out of scope:

• Denial of service attacks
• Social engineering of Chalk employees
• Attacks on third-party services we use (Stripe, Supabase, Vercel)
• Automated scanning that generates excessive load

Security Practices

• All data is encrypted in transit using TLS 1.2+.
• Database data is encrypted at rest.
• Row-level security (RLS) is enabled on all database tables.
• Authentication is handled by Supabase Auth with industry-standard JWT tokens.
• Payment processing is handled exclusively by Stripe — we never store card numbers.
• File uploads are validated server-side (magic bytes, size limits) before storage.
• Content Security Policy headers are applied on all routes.

Breach Notification

In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of becoming aware, as required by applicable law. Notifications will be sent to the email address on your account. See our Privacy Policy for more detail.