Boxing Vision takes the security of your data seriously. This page describes the measures we have in place to protect your account and your fighters' information.
Infrastructure
- Hosting: Render, EU region
- Database: PostgreSQL with daily automated backups
- Video storage: Amazon S3 (eu-north-1, Stockholm), encrypted at rest
- Analytics: PostHog, EU-hosted instance
Encryption
- In transit: all connections secured via TLS 1.2+ (HTTPS enforced)
- At rest: S3 server-side encryption for stored videos
- HSTS: HTTP Strict Transport Security enabled with preload
Authentication
- Password hashing: Django PBKDF2 with SHA256 (industry standard)
- Two-factor authentication: TOTP-based 2FA available for all accounts
- Brute force protection: automatic account lockout after 5 failed attempts (1 hour cooldown)
- Session management: secure, HTTP-only cookies with CSRF protection
Access control
- Coaches can only access their own fighters and session data
- Fighters can only view their own training records
- Admin access is restricted and secured with 2FA
- All user actions are logged for audit purposes
Application security
- CSRF protection: enabled on all forms
- XSS prevention: content type nosniff, browser XSS filter enabled
- Clickjacking protection: X-Frame-Options set to DENY
- Secure cookies: session and CSRF cookies are HTTPS-only in production
Data handling
- No credit card numbers or bank details are stored on our servers
- We do not share data with advertisers
- Video files are accessible only to the uploading coach and their assigned fighters
- Account deletion removes all associated data within 30 days
Incident response
In the event of a security incident affecting your data, we will:
- Notify affected users within 72 hours as required by GDPR
- Report to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) where required
- Take immediate steps to contain and remediate the issue
Responsible disclosure
If you discover a security vulnerability, please report it to:
We appreciate responsible disclosure and will acknowledge your report within 48 hours.