Data Security

How we protect the data of young athletes, parents, coaches, and academies on Durosport Play.

Our Security Commitment

Durosport Play serves young athletes aged 6–18, which means data security is not optional — it is foundational. We build security into every layer of the platform, from database access controls to API endpoint protection to breach detection. Our approach follows a defence-in-depth model: multiple overlapping security controls so that no single point of failure can compromise user data.

Security Architecture

Encryption at Rest

All data stored in our database is encrypted at rest using AES-256 encryption provided by our infrastructure provider (Supabase on AWS). This includes student records, assessment data, payment information, and personal details.

Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.2+. This applies to web traffic, API calls, mobile app communications, and file uploads. We enforce HTTPS-only connections with no fallback to unencrypted HTTP.

Row-Level Security (RLS)

Every table in our PostgreSQL database is protected by Row-Level Security policies. This means data access is enforced at the database level, not just in application code. Admins see only their academy's data, coaches see only their batches, and parents see only their children's records. RLS coverage: 100% of tables.

Access Controls

The platform implements role-based access control (RBAC) with four distinct roles: Admin, Coach, Student, and Parent. Each role has strictly defined permissions. API endpoints validate both authentication tokens and role permissions before processing any request.

Infrastructure

Hosting & Database

Our web application is hosted on Vercel with global CDN distribution. Our database runs on Supabase (managed PostgreSQL on AWS) with automated backups, point-in-time recovery, and infrastructure-level encryption. Database backups are taken daily and retained for 7 days.

API Security

All API endpoints implement rate limiting to prevent abuse. Sensitive operations (authentication, payment processing, data exports) have additional per-user rate limits. Webhook endpoints use timing-safe signature verification to prevent tampering. The Supabase service role key is never exposed to client-side code.

Authentication

User authentication is managed through Supabase Auth, supporting email and phone OTP verification. Session tokens are short-lived and refreshed automatically. Password hashing uses bcrypt with appropriate work factors. We do not store plaintext passwords.

Payment Security

All payments on Durosport Play are processed through Cashfree Payments, a PCI-DSS Level 1 certified payment gateway. We do not store credit card numbers, CVVs, or bank account details on our servers. Payment tokens and order IDs are stored for reconciliation and refund processing. Webhook communications from Cashfree are verified using HMAC-SHA256 signatures.

Child Data Protection

As a platform that primarily serves minors aged 6–18, we apply enhanced protections for children's data in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act):

Verifiable parental consent (OTP-based) is required before any child account is activated or any child data is processed.

Children’s data is never used for targeted advertising or behavioural tracking.

XP points and rankings are calculated server-side — children cannot self-award achievements.

Data breach incidents involving children’s data are automatically escalated to CRITICAL severity.

Parents can request complete data erasure for their child by contacting dpo@durosport.in.

Breach Detection & Response

We maintain automated breach detection utilities that continuously monitor for suspicious activity including failed login spikes, unusual bulk data access, webhook failures, rate limit violations, and unauthorised access attempts. When anomalies are detected, our system automatically creates incident records and triggers escalation.

Our Data Breach Response Plan (DBRP-2026-001) follows the DPDP Act requirement to notify the Data Protection Board of India (DPBI) within 72 hours of confirming a breach. The plan includes an internal escalation matrix, breach assessment templates, communication templates for affected users, and post-incident review procedures.

Report a vulnerability: If you believe you have found a security vulnerability in Durosport Play, please report it to security@durosport.in. We take all reports seriously and will respond within 24 hours.

Security Auditing

The Durosport Play platform has undergone two rounds of security auditing with all 28 identified findings remediated. Our security audit log tracks all sensitive operations including authentication events, data access patterns, and administrative actions. We maintain an ongoing programme of security review as the platform evolves.

Regulatory Compliance

Durosport Play is designed and operated in compliance with the following Indian regulations:

DPDP Act, 2023Data processing, consent management, data principal rights, breach notification, and enhanced protections for children's data.
IT Act, 2000Information security practices, reasonable security procedures, and intermediary guidelines compliance.
Consumer Protection ActTransparent pricing, grievance redressal mechanism, and fair business practices.
RPwD Act, 2016Web accessibility conforming to WCAG 2.1 Level AA standards.

Data Retention & Deletion

We retain personal data only for as long as necessary to provide our services and comply with legal obligations. When an account is terminated, we retain data for up to 90 days for recovery purposes, after which it is permanently deleted. Payment records and GST invoices may be retained for up to 8 years to comply with Indian tax laws. Data erasure requests are processed within 30 days as required by the DPDP Act, 2023.

Security Contact

Security Issuessecurity@durosport.in
Data Protection Officerdpo@durosport.in
General Supportsupport@durosport.in

Learn more about how we handle your data