Per-tenant database isolation
Every tenant runs in its own Supabase project. No multi-tenant table with a tenant_id column for someone to forget the WHERE clause on — tenants literally don't share a database.
Security at Club Central is structural, not bolted on. Here's how the architecture protects you — and where we offload to vendors who specialize.
Every tenant runs in its own Supabase project. No multi-tenant table with a tenant_id column for someone to forget the WHERE clause on — tenants literally don't share a database.
We never touch card numbers. PCI scope offloads to Stripe via Stripe Elements + Connect. Per-tenant Stripe accounts so funds go directly to you.
RLS is on across tenant tables. Even when application code makes a query, the database enforces the rules.
Authentication. Supabase Auth, JWT-based, with multi-user-per-membership support. Primary members have full access; secondary members operate under per-action permission flags audited on every state change. Voice + chat add a 4-digit support PIN (bcrypt hashed, 5-fail / 1-hour lockout).
Athlete sign-in (COPPA). Youth-athlete portal uses PIN-only login with explicit parental consent stamped at enable time (IP + UA + COPPA-compliant snapshot). Rate-limited at the IP level. No direct PII collection from the athlete.
Audit logs. Every membership change, every age override, every refund, every permission grant, every AI conversation — timestamped with the actor. The "who did this?" question becomes a query, not an investigation.
Backups + restore. Automated daily backups via Supabase. Manual pg_dump on demand. Documented restore procedures. Before every production migration, we snapshot first.
Bot + abuse protection. hCaptcha on public forms. Stripe Radar on every charge. Per-IP rate limits on auth + search endpoints. Per-tenant Twilio messaging service compliance (TFV 30504 use-case opt-in, A2P 10DLC ready).
PCI: Card data never touches our servers. Stripe Elements collects + tokenizes; we hold tokens, not numbers. PCI scope offloads to Stripe.
COPPA: Athlete sign-in collects parental consent with full snapshot before any child-facing account is enabled. PIN-only auth means no direct PII handling by minors.
SOC 2: We're not SOC 2 certified today. The controls our auditor would name — access logs, encrypted at rest, environment separation, change management — are in place; the report isn't yet. Ask if you need detail for your own vendor risk review.
GDPR / CCPA: Per-user data export and erasure live in the manage app. Right-to-be-forgotten requests get processed through the audit-logged delete flow.
We're happy to walk through architecture diagrams, share our backup + restore procedures, and answer the questions your IT or insurance carrier needs answered.

Registration, billing, attendance, marketing, and an AI receptionist that answers your phone — one platform.
© Club Central. All rights reserved.