CoachOS
FeaturesAppsIntegrationsPricingAffiliatesSign In

Security

Your Data, Protected

CoachOS handles sensitive health and fitness data. We take security seriously and build protection into every layer of the platform.

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database connections use SSL certificates, and sensitive fields use application-level encryption.

Authentication

Secure authentication with bcrypt-hashed passwords, JWT tokens with short expiry, and OAuth 2.0 via Google. Session management with HttpOnly, Secure cookies.

Infrastructure

Hosted on SOC 2 compliant providers (Vercel, Supabase). Database backups are automated daily. All infrastructure runs in isolated environments with strict access controls.

Access Controls

Role-based access ensures clients only see their own data and coaches only see their clients. API endpoints enforce authentication and authorisation at every layer.

Monitoring

Real-time error tracking, performance monitoring, and security event logging. Automated alerts for unusual activity patterns and failed authentication attempts.

Incident Response

Documented incident response procedures with defined severity levels. We notify affected users within 72 hours of a confirmed data breach, as required by UK GDPR.

Compliance

Built for Regulatory Standards

CoachOS is designed to comply with UK GDPR and the Data Protection Act 2018. We process health data as special category data with explicit user consent and apply enhanced safeguards.

  • UK GDPR: Full compliance with data subject rights, lawful basis for processing, and data protection impact assessments.
  • Health Data: Special category data handling with explicit consent, encryption, and strict access controls.
  • Apple HealthKit: HealthKit data is never used for advertising or sold to third parties, in full compliance with Apple's guidelines.
  • Google Health Connect: Health Connect data is used solely for displaying fitness metrics and sharing with assigned coaches.
  • Payment Security: All payments are processed by Stripe, a PCI DSS Level 1 certified provider. CoachOS never stores card details.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. We appreciate the security research community and will acknowledge valid reports.

security@coachosapp.com