Security practices

Internal tools are restricted to an explicit operator allowlist with role-based permissions, so a single account cannot change everything.

API keys and service credentials live only in server environments and are never included in pages delivered to your browser.

When cloud accounts are enabled, row-level security ensures you can only read and write your own data — enforced at the database, not just in the app.

Swing videos are analyzed in your browser. Footage is not transmitted to external servers by default, and is never used to train AI models without your explicit consent.

Every page is served over HTTPS with a Content-Security-Policy, X-Frame-Options, and HTTP Strict-Transport-Security to defend against injection, clickjacking, and protocol downgrade.

Uploads are restricted to known media types with enforced size and duration limits, reducing the risk of malformed or abusive files.

Anything you type that is shown back in the interface is sanitized before it is rendered.

AI endpoints sit behind rate limiting and a global daily spend cap, so abuse cannot degrade service or produce a runaway bill.

Sensitive internal actions are recorded so changes are accountable and incidents can be reconstructed.

We maintain a runbook covering secret exposure, account compromise, and data-leak scenarios so response is a checklist, not a scramble.

We are rolling out secret scanning, dependency vulnerability scanning, and static analysis on every code change. Remaining gaps are tracked openly.