Security Policy

GymPoint — Gym Management Platform

Operated by: GymPoint LLC

Website: https://gympoint.ai

Effective Date: March 27, 2026

Last Updated: March 27, 2026

Contact: security@gympoint.ai

1. Our Commitment to Security

At GymPoint LLC, security is foundational — not an afterthought. GymPoint protects the data of gym operators, their staff, and their members using industry-standard cryptographic practices, layered infrastructure controls, and continuous monitoring.

GymPoint is built on a Python/FastAPI backend deployed on Fly.io with a Next.js frontend on Vercel, backed by PostgreSQL with encrypted storage and automated backup systems. Every layer of the stack is hardened with industry-standard controls.

2. Authentication & Credential Security

2.1 Password Hashing

User passwords are never stored in plaintext. GymPoint uses Bcrypt with a cost factor of 12 rounds to hash all passwords before storage. Bcrypt is a deliberately slow, adaptive hashing algorithm designed to resist brute-force and rainbow table attacks. Even if the database is compromised, passwords cannot be reversed.

2.2 Token Security

Password reset tokens and two-factor authentication backup codes are generated using SHA-256. Tokens are cryptographically strong and unpredictable. All tokens are single-use and expire within a defined time window.

2.3 Webhook Verification

Incoming payment webhook events are verified using HMAC-SHA256 signatures. Every payload is authenticated against a shared secret before processing. This ensures only legitimate events from verified payment processors are acted upon, and forged or tampered webhooks are rejected.

2.4 Two-Factor Authentication

GymPoint supports time-based one-time passwords (TOTP) for 2FA. TOTP secrets are encrypted at rest using Fernet encryption.

3. Data Transmission Security

3.1 TLS / HTTPS Enforcement

All data transmitted between the user's browser and GymPoint's servers is encrypted in transit using TLS (Transport Layer Security). GymPoint enforces HTTPS across all applications with unencrypted HTTP connections rejected. HTTP Strict Transport Security (HSTS) headers are set with a one-year max-age. All session cookies are set with the Secure flag to prevent transmission over unencrypted connections.

3.2 Secure Cookie Configuration

Session and authentication cookies are configured with Secure, HttpOnly, and SameSite attributes to protect against cross-site scripting (XSS), cross-site request forgery (CSRF), and interception attacks.

4. Data Encryption at Rest

Sensitive data stored within GymPoint's database is encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256 integrity verification). This applies to payment credentials, authorization tokens, OAuth tokens, and TOTP secrets.

Encryption keys are managed separately from the encrypted data and are never stored alongside it.

5. Payment Security

GymPoint facilitates member billing through PCI DSS-compliant third-party payment processors. GymPoint never stores, processes, or transmits raw cardholder data including full card numbers, CVV codes, or magnetic stripe data.

All payment instruments are replaced with processor-issued tokens at the point of entry. Tokens are meaningless outside the context of the issuing payment processor. Payment webhook events are authenticated via HMAC-SHA256 verification. GymPoint's payment infrastructure is scoped out of PCI DSS cardholder data environment obligations by design.

6. Access Controls

6.1 Role-Based Access Control (RBAC)

Access to GymPoint features and data is governed by RBAC. Users are assigned roles (Owner, Manager, Staff) that determine which data and functions they can access. Privilege escalation requires explicit authorization.

6.2 Least Privilege Principle

Internal systems, API services, and database connections operate under least privilege. Each component is granted only the permissions necessary to perform its function.

6.3 Administrative Access

Access to production infrastructure is restricted to authorized GymPoint engineers and is protected by strong credentials and multi-factor authentication.

7. Backup & Data Resilience

GymPoint performs automated daily database backups using pg_dump. Backups are compressed using gzip and stored in encrypted cloud object storage (S3/R2) with a 30-day retention window. Backups are stored in a geographically separated location from primary infrastructure to support disaster recovery scenarios. Restoration procedures are tested periodically to ensure backup integrity.

8. Monitoring, Logging & Incident Detection

8.1 Error Tracking

GymPoint uses Sentry for real-time error tracking and alerting across all application services. Anomalous error rates and unexpected exceptions trigger immediate investigation.

8.2 Structured Logging

All application activity is recorded through structured logging with correlation IDs. Correlation IDs enable end-to-end tracing of requests across services. Logs are retained for security analysis and audit purposes.

8.3 Audit Logging

GymPoint maintains comprehensive audit logs of security-relevant events including user authentication events, role and permission changes, member data access and modifications, and billing and payment events.

8.4 Health Monitoring

Infrastructure health check endpoints monitor uptime across all GymPoint services. Automated alerts notify the team of service degradation and unexpected behavior.

9. Third-Party & Vendor Security

GymPoint integrates with trusted third-party vendors for payment processing, infrastructure, error monitoring, and communications. Vendors are evaluated for security posture before onboarding. Vendors who handle GymPoint or customer data must maintain industry-standard security practices. Third-party integrations are granted only the minimum access necessary to perform their function. A list of key sub-processors is available upon request at security@gympoint.ai.

10. Data Retention & Deletion

GymPoint retains customer and member data only as long as necessary to provide the Service and meet legal obligations:

• Active accounts: data retained for the duration of the subscription
• Cancelled accounts: data retained for 90 days following cancellation, then permanently deleted
• Backup retention: automated database backups retained for 30 days with automatic cleanup
• Audit logs: retained for a minimum of 12 months for security and compliance purposes

Customers may request early deletion by contacting security@gympoint.ai. Deletion requests are processed within 30 days, subject to legal retention requirements.

11. Vulnerability Disclosure

GymPoint encourages responsible disclosure of security vulnerabilities. If you discover a security issue:

1. Do not exploit the vulnerability beyond what is necessary to confirm its existence
2. Do not publicly disclose the vulnerability before GymPoint has had a reasonable opportunity to investigate and remediate
3. Report to security@gympoint.ai with a clear description, steps to reproduce, potential impact, and contact information

GymPoint commits to acknowledging receipt within 3 business days, providing an initial assessment within 10 business days, keeping the reporter informed, and not pursuing legal action against good-faith security researchers who follow this policy.

12. Incident Response & Breach Notification

12.1 Detection & Containment

Security incidents are identified through monitoring alerts, audit log review, and vulnerability reports. Upon detection, affected systems are isolated and assessed to contain the impact.

12.2 Investigation & Remediation

GymPoint investigates root cause, scope, and impact, patches or reconfigures affected systems, and implements additional controls to prevent recurrence.

12.3 Notification

For a confirmed data breach affecting customer or member data, affected customers are notified within 72 hours of confirmation or as required by applicable law (whichever is sooner). Notifications include the nature of the incident, data affected, steps taken, and recommended actions. GymPoint cooperates with applicable regulatory authorities as required by law.

13. Security Updates

Security practices evolve as threats and technologies change. GymPoint reviews and updates this policy at least annually and following any material security incident. Customers will be notified of material changes via email or in-platform notice.

14. Contact

To report a security vulnerability or ask questions about GymPoint's security practices: