How we hold your operation’s data.
TGP is built on the same compliance scaffolding used by Series-B SaaS companies. Below is what’s shipped, what’s in flight, and where to email us with questions.
What’s shipped vs in flight.
The same matrix our security questionnaire would land on. If a row says shipped, it ships in production today. If it says in flight or roadmap, we say so plainly.
| Capability | Status | What this means |
|---|---|---|
| Encrypted at rest | SHIPPED | All client data encrypted on disk via Postgres + Fly volume encryption. |
| Encrypted in transit | SHIPPED | TLS 1.3 on all production endpoints, HSTS enforced. |
| Audit logging | SHIPPED | Every state-change operation logged with actor, timestamp, IP, prior + new value. |
| Role-based access control | SHIPPED | Three role tiers (Client / Coach / Admin), enforced at every endpoint via guards. |
| Rate limiting | SHIPPED | Per-route Redis-backed throttling, abuse detection. |
| GDPR right-to-delete | SHIPPED | Token-gated deletion flow with 30-day soft-delete + hard purge. |
| Data export | SHIPPED | Self-serve client data export via signed URL. |
| Secrets rotation | SHIPPED | Documented runbook, encrypted secrets store. |
| Distributed tracing | SHIPPED | OpenTelemetry-style instrumentation across backend. |
| Biometric lock (mobile) | SHIPPED | Face ID / Touch ID with PIN fallback and lockout. |
| Offline-first sync | SHIPPED | Encrypted local store, conflict-resolution policy on sync. |
| SOC 2 Type I | IN FLIGHT | Policy framework drafted, internal audit underway. |
| SOC 2 Type II | ROADMAP | Targeted post-Type I observation period. |
| Single Sign-On (SSO) | ROADMAP | Available with Enterprise tier post-launch. |
| Penetration testing | ROADMAP | Annual third-party engagement post-launch. |
Last reviewed at the start of the current build wave. We do not publish dates on this page until our status page is live (see roadmap).
Where it lives, who can see it, what happens if something breaks.
Where data lives
- Backend: hosted on Fly.io in the sjc region (US West).
- Database: Postgres with managed backups and point-in-time recovery enabled.
- Mobile: encrypted MMKV local store and WatermelonDB SQLite, both encrypted at rest on device.
Who can access
- TGP staff: zero direct database access in production. All admin actions go through audited admin endpoints.
- Customer staff (head coaches, sub-coaches, admins): role-gated access via JWT and role guards. Every action is audit-logged.
Sub-processors
Third-party services that touch any customer data. If we add a vendor in production, it lands here before the deploy.
- StripeBilling and payment processingCustomer name, billing email, card details (held by Stripe, never by TGP).
- Fly.ioApplication hosting and infrastructureEncrypted application volumes; no plaintext access to data at rest.
- PostgresPrimary database with managed backupsAll structured client data, encrypted at rest.
- RedisSession caching and rate-limit countersShort-lived session tokens and per-route request counters.
- CrispIn-app and website support chatMessages a user sends in support, plus user email if signed in.
- PostHogProduct analytics (EU mode)Pseudonymous event data; no client health data; EU-region storage.
- ExerciseDBRead-only exercise reference libraryOutbound only; no customer data is sent to ExerciseDB.
Incident response
- 30-day breach notification commitment for any incident affecting customer data.
- Status page at status.growthprojecthq.com — on the roadmap; not live yet.
Security contact: security@growthprojecthq.com
Customer rights
- Right to delete: self-serve via the mobile app, or email delete@growthprojecthq.com.
- Right to export: self-serve via the mobile app.
- Right to access: contact support@growthprojecthq.com.
- Data Processing Agreement (DPA) available on request for Enterprise customers.
How we work.
- All code shipped through pull requests with required CI checks.
- Database migrations reviewed before deploy.
- Production access logged.
- Secrets stored in encrypted environment vaults, never in source control.
- Dependencies updated on a weekly cadence with automated security scanning.
- Backups verified by quarterly restore drills.
- Vulnerability disclosure: security@growthprojecthq.com — we will respond within 5 business days.
We treat your data like it’s our own coaching business’s data — because it is. The Growth Project, the founder’s coaching business, runs on the same TGP platform that customers use. Every security decision is also a decision we live with.
Have a security question? Email security@growthprojecthq.com.