Compliance & frameworks

Not audited. We have implemented a control framework mapped to the SOC 2 Trust Services Criteria and track audit-readiness internally. We are not yet SOC 2 audited and do not claim a SOC 2 report.

Our security program is organized around the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). Each criterion maps to concrete controls — many already enforced in code and continuously checked by our internal security system — so that when we engage an independent auditor, the evidence is already in place.

We follow GDPR-aligned data practices. This is a description of our practices, not a legal certification or a Data Processing Agreement.

You can access, export, and permanently delete your data at any time, we collect only what the product needs, and your swing videos are analyzed on your device by default. For any data question, our privacy contact responds directly.

We follow CCPA-aligned data practices. We do not sell personal information. This is a description of our practices, not a legal certification.

We do not sell or rent personal information and we run no advertising networks. You can request export or deletion of your data directly, regardless of your plan.

SwingVantage is not directed to children under 13 and we do not knowingly collect their data. This describes our practice, not a certification.

We do not knowingly collect personal information from children under 13 without verifiable parental consent, and we encourage parental involvement for users under 18 — especially when uploading video.

We map our application-security controls to OWASP ASVS and the OWASP Top 10. Coverage is continuously self-assessed, not externally verified.

Authentication, access control, security headers, input handling, and abuse protection are mapped to OWASP ASVS requirements and continuously evaluated by our internal security system, which labels anything it cannot verify rather than assuming it is safe.

We align our development lifecycle to NIST SSDF practices. Some CI controls (SAST, dependency and secret scanning) are being rolled out and are tracked as gaps until complete.

Our build and review process is organized around NIST SSDF practices — secure design, automated scanning in CI, and security regression tests — with remaining gaps tracked openly in our internal readiness tracker.

We align our AI program to the NIST AI Risk Management Framework (AI RMF 1.0). This alignment is tracked internally and is not third-party audited or certified.

Our use of AI — when it runs at all — is organized around the four NIST AI RMF functions (Govern, Map, Measure, Manage). Heuristics run first and AI is escalated only when needed; intended use, human oversight, AI security testing, spend controls, and fairness evaluation are tracked openly, with remaining gaps shown rather than hidden.