🛡️ Security Policy

1. Data Protection and Privacy

• All data is stored in secure, access-controlled databases using NeonDB (PostgreSQL) hosted on AWS ap-southeast-2 (Sydney, Australia), compliant with Australian Privacy Principles (APPs), GDPR, and WCAG 2.1 AA accessibility standards.
• Sensitive information (such as passwords) is encrypted using bcrypt with 12 rounds and never stored in plain text.
• Personal data is only used for purposes directly related to club and student management, and never sold or shared with third parties.
• Data is encrypted both at rest and in transit using industry-standard encryption protocols.

2. Secure Transmission

• All communication between users and DojoMaster servers is protected using HTTPS with TLS 1.2+ encryption.
• We employ automatic certificate renewal and HSTS (HTTP Strict Transport Security) to prevent interception or tampering.

3. Authentication and Access Control

• Every user account is protected by a secure login system using Auth.js (NextAuth.js) with enforced password complexity requirements (minimum 8 characters, including uppercase, lowercase, numbers, and special characters).
• Access to administrative features is limited to authorised users with appropriate permissions based on their role (Owner, Sensei, Sempai, Student, Parent).

4. Infrastructure and Application Security

• Our platform is built using Next.js with a security-first architecture.
• Regular security audits and code reviews are performed to detect vulnerabilities.
• We follow OWASP Top 10 best practices for web application security, including protection against XSS, CSRF, and SQL injection attacks.

4.5. Rate Limiting and DDoS Protection

We implement rate limiting to protect against brute-force attacks and abuse:

• Authentication endpoints: 5 attempts per 15 minutes
• AI endpoints: 20 requests per hour
• File upload endpoints: 10 uploads per hour
• General API endpoints: 100 requests per minute

These measures help prevent unauthorized access attempts and ensure fair resource usage for all users.

5. Monitoring and Incident Response

• System activity and access logs are continuously monitored for suspicious behaviour using Sentry for error tracking and performance monitoring.
• In the unlikely event of a data breach, we will notify affected users and relevant authorities within 72 hours, in compliance with the Australian Notifiable Data Breaches (NDB) Scheme.

6. Third-Party Services

DojoMaster integrates with trusted third-party providers that maintain their own strong security and compliance standards. Each integration is vetted and subject to ongoing review:

• Stripe - Payment processing (PCI DSS compliant)
• Google OAuth - Secure authentication provider
• Resend - Email service for notifications and communications
• Twilio - SMS communications
• OpenAI - AI-powered features and analytics
• Sentry - Error tracking and performance monitoring
• Cloudflare R2 - Secure file storage for user avatars and club logos

7. Data Backups and Recovery

• Data is automatically backed up on a daily schedule.
• Backups are encrypted and stored separately to protect against data loss or system failure.

7.5. File Storage Security

• User avatars and club logos are securely stored using Cloudflare R2 (S3-compatible object storage).
• All files are encrypted at rest and in transit using industry-standard encryption protocols.
• Access to stored files is controlled through role-based permissions, ensuring only authorized users can access or modify files.
• File uploads are validated for type, size, and content to prevent malicious uploads.

8. User Responsibilities

We encourage users to:

• Keep login credentials confidential.
• Use strong passwords and enable additional security measures where available.
• Immediately report any suspicious account activity to our support team.