Security & Trust
Your members trust you. You trust us. Here's exactly how we protect the data that flows through DojoOS — no hand-waving.
All traffic is served over TLS 1.2+. Data at rest is encrypted by our managed Postgres provider. Webhook payloads from payment providers are signature-verified before they're trusted.
Every row in our database is scoped to a `dojo_id` and protected by Postgres row-level security policies. One gym can never read another gym's members, invoices, waivers, or schedules — enforced at the database layer, not just in app code.
Member payments run on your own Stripe Connect account. Funds settle directly to your bank — DojoOS is never the merchant of record and never custodies cash. We never see or store full card numbers.
Internal staff access to production data is restricted, audited, and used only for support with explicit consent. Passwords are hashed (bcrypt-style) and never logged. Service-role database keys live only on our edge runtime, never in the browser.
Sensitive actions — sign-ins, payment events, waiver signatures, role changes — are recorded with timestamps, user, and IP. Email delivery is logged per-recipient for diagnostics and compliance.
We run on managed cloud infrastructure with automatic backups, redundant Postgres storage, and edge-deployed application code. We aim for graceful degradation when upstream providers (Stripe, email) hiccup.
All card data is collected by Stripe-hosted elements and tokenized — full card numbers never touch DojoOS infrastructure. Stripe is a PCI-DSS Level 1 service provider. By using Stripe Connect Standard, your gym's account inherits Stripe's compliance, and you remain the merchant of record for your members.
We use a small number of vetted vendors to deliver the Service: hosting / database, email delivery, payment processing, authentication. Our full list is published and kept current on our subprocessors page.
Your data is stored on managed Postgres infrastructure in the United States with point-in-time backups. We can restore the database to any moment within the backup window in the event of corruption or accidental deletion.
Found a vulnerability? Please email security@dojoos.io with details and a proof of concept. We'll acknowledge within 2 business days, keep you updated, and credit you in our changelog (if you'd like) once the issue is fixed. Please don't access data that isn't yours, run automated scans against production, or publicly disclose before we've had a chance to patch.