CoachFlowCoachFlow

Security

Last updated: June 25, 2026

Coaches trust CoachFlow with sensitive information about their clients — health details, photos, and private conversations. Protecting that data is a first-class part of how the product is built, not an afterthought. Everything below is actually implemented in the platform today.

01Encryption in transit

All traffic between your device, the app, and our servers is encrypted with HTTPS/TLS. We send a strict Strict-Transport-Security (HSTS) header so browsers refuse to connect over plain HTTP.

02Encryption at rest

The most sensitive content — private chat messages (and their attachments) and check-in answers (which can contain health information) plus their AI summaries — is encrypted in the database with AES-256-GCM. Each value uses a fresh random IV and an authentication tag, so identical inputs encrypt differently and any tampering is detectable. This keeps that data unreadable to anyone with raw database access (a dump, a backup, or a leaked connection string).

03Passwords

Passwords are never stored in plain text. They are hashed with bcrypt (a slow, salted algorithm built for passwords), so even we cannot read them — and a database leak does not expose them.

04Access control — your data stays yours

Every request is authenticated with short-lived JSON Web Tokens and authorized on the server. A coach can only ever reach their own clients; a client can only ever reach their own data. These ownership checks run on the server for each request, so the rules can't be bypassed from a modified app or a crafted API call.

05Defense against abuse

  • Rate limiting: login, sign-up, and password endpoints are throttled per IP to stop brute-force and credential-stuffing attacks; a wider limit protects every other route from scraping and denial-of-service.
  • Hardened HTTP headers: a strict Content-Security-Policy, X-Frame-Options: DENY (no clickjacking), nosniff, and a locked-down permissions policy.
  • Origin allowlist (CORS): only our own apps may call the API from a browser.
  • Capped queries: list endpoints cap how much can be requested at once, so the database can't be overloaded.

06Secure configuration

The server refuses to start in production with a missing, weak, or default signing secret — a misconfiguration can't silently put the platform at risk. Access and refresh tokens use separate secrets.

07Responsible disclosure

Found a vulnerability? Please report it privately to official.kareem.ahmed@gmail.com before disclosing it publicly. We'll acknowledge your report and work with you on a fix. We're grateful to researchers who help keep coaches and athletes safe.

© 2026 CoachFlow · Elite Athletics. All rights reserved.