Security at ClubSentinel

ClubSentinel uses a multi-tenant architecture, meaning many clubs use the same software platform — but your club's data is completely isolated from every other club's data, enforced at the database level.

We use a security feature called Row-Level Security (RLS) on every single table in our database. RLS works like an invisible filter that ensures users in your club can only ever see your club's records. Even if there were a bug in our code, the database itself would refuse to return another club's data.

Your data is stored and processed using enterprise-grade UK and EU infrastructure:

All of these are enterprise-grade providers with their own compliance certifications (SOC 2, ISO 27001, GDPR adherence). Their compliance pages are public and we're happy to share them on request.

• Encryption in transit: every connection to ClubSentinel uses TLS 1.3
• Encryption at rest: all database content and file storage is encrypted by Supabase using AES-256
• Authentication: sessions are signed and time-limited; password hashing follows industry-standard practice (bcrypt with appropriate cost factor)
• File access: chemical safety data sheets and uploaded documents are served only via signed, time-limited URLs — never directly accessible by URL guessing
• Regular security audits: we run internal audits of our security posture, including database access policies, storage isolation, and authentication flows

ClubSentinel uses role-based access control. Within your club:

• Admins can view and manage all records, manage users, and approve documents
• Operations leads have module-level access without user management
• Staff / Viewers have limited or read-only access depending on configuration

Outside your club:

• ClubSentinel staff do not access your data as part of normal operations
• Access is only granted with your explicit permission — for example, when you ask us to help debug a specific issue
• All such access is logged

ClubSentinel uses AI to provide features like SDS extraction, the in-app AI Assistant, and document analysis. We're transparent about how this works:

• AI requests are processed by Anthropic. We use their API under contract; they do not train their models on your data
• No human at Anthropic reads your data as part of routine processing
• Document and SDS uploads are sent to Anthropic for processing, then the response is returned to your ClubSentinel database. The original is retained in your club's storage; nothing is shared externally
• AI conversations in the AI Assistant are processed in real time, not retained for AI training purposes

If you'd like to disable AI features for your club, contact us — we can configure that.

ClubSentinel is built to align with the following:

• UK GDPR and the Data Protection Act 2018
• ICO registration: ZC138385
• Cyber Essentials: working toward certification in 2026

We do not currently hold ISO 27001 or SOC 2 certification — we are a small, focused team and these certifications are on our roadmap as we grow. Our infrastructure providers (Vercel, Supabase, Anthropic) hold these certifications themselves.

If we identify a security incident affecting your club's data, we will:

1. Notify you within 72 hours of confirming the incident, in line with UK GDPR requirements
2. Provide a clear summary of what happened, what data was involved, and what actions we've taken
3. Notify the ICO within 72 hours where required by law
4. Support you with any onward notifications to members, staff, or regulators if needed

If you believe you've found a security vulnerability in ClubSentinel, please email us directly: hello@sentinelhq.co.uk

We commit to acknowledging your report within one working day, investigating promptly, and keeping you informed throughout. We do not take legal action against good-faith security researchers who follow responsible disclosure.

For any questions about ClubSentinel's security or how we handle your data, contact us at hello@sentinelhq.co.uk or visit our Privacy Policy.