LINÉPOQUE

Platform Security

Security & Data Protection

How LINEPOQUE protects student data, instructor records, and studio operations. Authentication, encryption, access controls, and incident response.

Authentication

  • LINEPOQUE uses magic-link authentication. No passwords are stored, transmitted, or at risk of breach.
  • Sessions are managed by Supabase Auth with secure HTTP-only cookies. Tokens rotate automatically.
  • Admin access requires an environment-level allowlist. Role escalation is not possible through the application interface.

Encryption

Layer

In transit

Standard

TLS 1.2+ (HTTPS)

Scope

All connections between browser, server, and database.

Layer

At rest

Standard

AES-256

Scope

All data stored in the database, including medical records, training data, and personal information.

Layer

Backups

Standard

AES-encrypted artifacts

Scope

Daily automated backups stored with encryption at rest.

Payment Security

  • LINEPOQUE does not store, process, or have access to credit card numbers, CVV codes, or bank account details.
  • All payment processing is handled by Paddle, a PCI DSS Level 1 certified Merchant of Record.
  • Payment webhooks are verified using HMAC-SHA256 signature validation with timing-safe comparison to prevent replay attacks.

Student Data Protection

  • Row-Level Security (RLS) is enforced on every database table. Each user can only access data they are authorised to see.
  • Medical information (PAR-Q health screening, conditions, medications, emergency contacts) is stored in encrypted infrastructure and protected by relationship-scoped access policies.
  • Data sharing between students and instructors is opt-in and off by default. Students control exactly which categories of data each instructor can see.
  • Sensitive categories (pain and discomfort logs, cycle and hormonal data, self-learning notes, session logs) default to private and require explicit student consent to share.

Access Control Model

Role

Student

Access scope

Own records, own intake, own sharing preferences.

Enforcement

Database RLS policies scoped to authenticated user ID.

Role

Instructor

Access scope

Linked students only, subject to per-student sharing settings.

Enforcement

Relationship check via student-instructor links table.

Role

Studio Admin

Access scope

Students enrolled in their studio, studio operations data.

Enforcement

Studio membership verification at database and application layer.

Role

System Admin

Access scope

Platform operations. Restricted to environment-level allowlist.

Enforcement

UUID and email allowlist checked before every admin action.

Security Headers

  • Content Security Policy (CSP) restricts script, style, image, and connection sources to trusted origins only.
  • HTTP Strict Transport Security (HSTS) enforces HTTPS with a two-year max-age and preload eligibility.
  • X-Frame-Options DENY prevents clickjacking by blocking all iframe embedding.
  • Referrer-Policy strict-origin-when-cross-origin limits referrer data sent to external sites.
  • Permissions-Policy disables camera, microphone, and geolocation access.

Error Monitoring

  • Application errors are tracked via Sentry with automatic PII scrubbing enabled.
  • Medical fields, emergency contacts, health screening responses, pain logs, and cycle data are redacted from all error reports before transmission.
  • Session replay is disabled. No screen recordings of user sessions are captured.

Infrastructure

  • Database hosted on Supabase (AWS infrastructure) with disk-level AES-256 encryption.
  • Application deployed on Vercel with automatic TLS certificate management.
  • Daily automated database backups with encrypted artifact storage.
  • No student data is stored on local devices, instructor machines, or unencrypted media.

Data Rights

  • Students can request access to, correction of, export of, or deletion of their personal data.
  • Data deletion requests are processed with exceptions for records required for safety, billing, certification audit, and legal compliance.
  • Consent is recorded with timestamps. Students can withdraw optional data sharing at any time through account settings.
  • Privacy requests can be submitted through the Data Rights Requests page.

Incident Response

  • Security incidents are investigated within 24 hours of detection.
  • Affected users will be notified if a breach involves their personal data, along with recommended actions.
  • Post-incident reviews include root cause analysis and control improvements.
  • Report security concerns to the LINEPOQUE support contact shown in account settings.