SCRIMIQGet Started
Security First

Your Team Data Is Sacred.
We Treat It That Way.

We built ScrimIQ knowing that coaches trust us with their most sensitive competitive data. Every architectural decision prioritizes your data security and privacy.

Authentication & Access Control

  • Industry-standard authentication powered by Clerk with multi-factor authentication support
  • Role-based access control (RBAC) with 8 permission levels — Owner, Admin, Manager, Captain, Coach, Analyst, Player, Viewer
  • Every API request is authenticated and authorized before any data is returned
  • Session tokens are short-lived and automatically rotated

Organization-Level Data Isolation

  • Your team data is completely isolated from every other organization on the platform
  • Every database query is scoped to your organization — there is no way to access another team's scrims, stats, or scouting data
  • Cross-organization data access is architecturally impossible, not just policy-restricted
  • 15+ explicit isolation checks enforced across all API endpoints

Encryption

  • All data encrypted in transit via TLS (HTTPS enforced with HSTS preload)
  • Database connections require SSL/TLS — no unencrypted database traffic
  • Sensitive credentials (e.g. linked platform tokens) encrypted at rest using AES-256-GCM with unique initialization vectors
  • API keys and secrets stored as environment variables, never in code or client bundles

AI Data Handling

  • AI features are opt-in and only available on Pro/Elite plans
  • AI analysis uses Anthropic's Claude — Anthropic does not train on customer data
  • Only the minimum context needed for analysis is sent to the AI (your team's stats for the specific request)
  • AI requests are rate-limited to prevent abuse (10 requests per minute per user)
  • No team data is stored by the AI provider — it is processed and discarded

Community Scouting Privacy

  • Community data sharing is 100% opt-in — disabled by default for every opponent
  • Shared data is aggregated and anonymized — other teams cannot see your organization's identity
  • Only statistical patterns are shared (e.g. map preferences), never raw scrim data or player stats
  • You can opt out of community sharing at any time with immediate effect

Infrastructure & Headers

  • Hosted on Vercel's enterprise infrastructure with built-in DDoS protection
  • Database hosted on Neon (PostgreSQL) with automated backups and point-in-time recovery
  • Security headers enforced: HSTS, X-Frame-Options (DENY), X-Content-Type-Options, strict Referrer-Policy, Permissions-Policy
  • Webhook endpoints verify cryptographic signatures before processing

API Security

  • All inputs validated with strict schema validation (Zod) — no injection attacks possible
  • Rate limiting enforced on all API endpoints, with stricter limits on AI and sensitive operations
  • Admin endpoints require explicit allowlisting — deny-by-default, even in development
  • CRON and webhook endpoints protected with secret-based authentication

Your Control

  • You control who has access to your organization and at what permission level
  • Remove team members instantly — access is revoked immediately
  • Export or delete your data at any time
  • We will never sell, share, or monetize your team data — your data is yours

Questions About Security?

We're happy to answer any security questions directly. Reach out on Discord and we'll walk you through our architecture.

Contact Us on DiscordBack to Home