Legal

Official platform policies and legal information for Turbo Trophy. Provided for transparency and convenience; it does not replace independent legal advice.

Security & Data Handling

Security controls, Stripe separation, retention principles, logging/monitoring, and incident handling.

Last updated: 14 December 2025Contact: info@turbotrophy.com

This document summarizes Turbo Trophy’s security posture and how we handle data operationally. It is provided for transparency and to set expectations for users.

1. Security Principles

  • Least privilege: access is role-based; sensitive admin operations are restricted and auditable.
  • Defense in depth: layered controls including server-side validation, database row-level security, rate limiting, and integrity checks.
  • Segregation of duties: payment data is handled by payment processors (e.g., Stripe); application data is stored and processed via our platform infrastructure (e.g., Supabase).
  • Encryption: TLS for data in transit; provider-level encryption at rest.

2. Platform Controls (Database, Auth, and Access)


We use controls such as:
  • row-level security to restrict data access;

  • server-only service-role operations for administrative writes;

  • scoped views and RPCs to minimize exposure of sensitive fields; and

  • audit logging for sensitive administrative actions (e.g., challenge configuration, moderation, prize fulfillment status).

3. Secure Development and Change Management


We aim to:
  • review and test changes before release;

  • restrict production access to authorized personnel;

  • monitor error logs and alerts; and

  • prioritize patching of security-relevant issues.

4. Payment Security (Stripe)


  • Turbo Trophy does not store full payment card numbers (PAN) or CVV.

  • Stripe is used as a PCI-DSS compliant payment processor.

  • We store only transaction metadata required for reconciliation, fraud prevention, and user support (e.g., payment status, IDs, amounts).

  • Webhook processing includes verification to prevent untrusted events from applying side effects.

5. Logging, Monitoring, and Abuse Prevention


To protect the Service, we may log and process:
  • timestamps, user identifiers (where applicable), and technical diagnostics;

  • IP address and user-agent for security analysis and fraud/abuse prevention;

  • integrity and anomaly signals to detect cheating and exploitation attempts.

We apply rate limiting, session revocation, and manual review where appropriate.

6. Data Handling and Retention

Retention follows the principles in the Privacy Policy. In general:
  • gameplay and integrity records may be retained for audits, dispute handling, and leaderboard integrity;
  • security logs are retained for incident response and abuse prevention; and
  • accounting/financial records are retained as required by law.

Backups follow provider defaults and are accessible only to authorized personnel.

7. Incident Response

We maintain an incident response process to:
  • triage, contain, and remediate incidents;
  • investigate root causes and implement improvements; and
  • notify affected users and authorities where required by applicable law.

8. Vulnerability Reporting


We welcome responsible vulnerability disclosures. Please report suspected security issues to info@turbotrophy.com with sufficient detail to reproduce the issue. Do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate.

9. User Responsibilities

Users should:
  • keep credentials secure and not share accounts;
  • use strong, unique passwords or supported OAuth methods;
  • keep devices and browsers updated; and
  • promptly report suspected account compromise or suspicious activity.

10. Third-Party Processors


Depending on enabled features, Turbo Trophy may rely on third-party processors such as:
  • Supabase (hosting, database, auth, storage)

  • Stripe (payments)

  • email/notification and analytics providers (if enabled)

11. Changes


We may update this document as security practices, providers, or legal requirements evolve. Material changes will be communicated through the Service where appropriate.