
Platform Security
Security & Data Protection
How LINEPOQUE protects student data, instructor records, and studio operations. Authentication, encryption, access controls, and incident response.
Authentication
- LINEPOQUE uses magic-link authentication. No passwords are stored, transmitted, or at risk of breach.
- Sessions are managed by Supabase Auth with secure HTTP-only cookies. Tokens rotate automatically.
- Admin access requires an environment-level allowlist. Role escalation is not possible through the application interface.
Encryption
Layer
In transit
Standard
TLS 1.2+ (HTTPS)
Scope
All connections between browser, server, and database.
Layer
At rest
Standard
AES-256
Scope
All data stored in the database, including medical records, training data, and personal information.
Layer
Backups
Standard
AES-encrypted artifacts
Scope
Daily automated backups stored with encryption at rest.
Payment Security
- LINEPOQUE does not store, process, or have access to credit card numbers, CVV codes, or bank account details.
- All payment processing is handled by Paddle, a PCI DSS Level 1 certified Merchant of Record.
- Payment webhooks are verified using HMAC-SHA256 signature validation with timing-safe comparison to prevent replay attacks.
Student Data Protection
- Row-Level Security (RLS) is enforced on every database table. Each user can only access data they are authorised to see.
- Medical information (PAR-Q health screening, conditions, medications, emergency contacts) is stored in encrypted infrastructure and protected by relationship-scoped access policies.
- Data sharing between students and instructors is opt-in and off by default. Students control exactly which categories of data each instructor can see.
- Sensitive categories (pain and discomfort logs, cycle and hormonal data, self-learning notes, session logs) default to private and require explicit student consent to share.
Access Control Model
Role
Student
Access scope
Own records, own intake, own sharing preferences.
Enforcement
Database RLS policies scoped to authenticated user ID.
Role
Instructor
Access scope
Linked students only, subject to per-student sharing settings.
Enforcement
Relationship check via student-instructor links table.
Role
Studio Admin
Access scope
Students enrolled in their studio, studio operations data.
Enforcement
Studio membership verification at database and application layer.
Role
System Admin
Access scope
Platform operations. Restricted to environment-level allowlist.
Enforcement
UUID and email allowlist checked before every admin action.
Security Headers
- Content Security Policy (CSP) restricts script, style, image, and connection sources to trusted origins only.
- HTTP Strict Transport Security (HSTS) enforces HTTPS with a two-year max-age and preload eligibility.
- X-Frame-Options DENY prevents clickjacking by blocking all iframe embedding.
- Referrer-Policy strict-origin-when-cross-origin limits referrer data sent to external sites.
- Permissions-Policy disables camera, microphone, and geolocation access.
Error Monitoring
- Application errors are tracked via Sentry with automatic PII scrubbing enabled.
- Medical fields, emergency contacts, health screening responses, pain logs, and cycle data are redacted from all error reports before transmission.
- Session replay is disabled. No screen recordings of user sessions are captured.
Infrastructure
- Database hosted on Supabase (AWS infrastructure) with disk-level AES-256 encryption.
- Application deployed on Vercel with automatic TLS certificate management.
- Daily automated database backups with encrypted artifact storage.
- No student data is stored on local devices, instructor machines, or unencrypted media.
Data Rights
- Students can request access to, correction of, export of, or deletion of their personal data.
- Data deletion requests are processed with exceptions for records required for safety, billing, certification audit, and legal compliance.
- Consent is recorded with timestamps. Students can withdraw optional data sharing at any time through account settings.
- Privacy requests can be submitted through the Data Rights Requests page.
Incident Response
- Security incidents are investigated within 24 hours of detection.
- Affected users will be notified if a breach involves their personal data, along with recommended actions.
- Post-incident reviews include root cause analysis and control improvements.
- Report security concerns to the LINEPOQUE support contact shown in account settings.