Skip to main content
LVL Up Performance

Security at LVL Up Performance

How we protect your organization's performance data

Last updated: February 25, 2026

Encryption

All data is encrypted both in transit and at rest to protect against unauthorized access:

  • TLS 1.2+ in transit: All connections between your browser and our servers are encrypted using TLS. HTTP requests are automatically redirected to HTTPS. API calls to third-party services (Supabase, Stripe, Anthropic) also use TLS.
  • AES-256 at rest: Data stored in our Supabase PostgreSQL database is encrypted at rest using AES-256 encryption provided by the underlying cloud infrastructure.
  • Password hashing: User passwords are never stored in plain text. Supabase Auth uses bcrypt with salt for all password hashing.

Authentication

We support multiple authentication methods to balance security and convenience:

  • Email and password: Standard authentication with enforced password strength requirements (minimum 8 characters).
  • Google OAuth 2.0: Single sign-on via Google accounts, eliminating the need for a separate password.
  • Two-factor authentication (2FA): Optional TOTP-based two-factor authentication is available for additional account security.
  • Session management: Authenticated sessions use secure, HTTP-only tokens. Sessions can be reviewed and revoked by the user.
  • Anonymous feedback: Employees submitting feedback via QR code do not need to create an account or authenticate, reducing friction while still ensuring feedback is routed to the correct team.

Row Level Security and Data Isolation

LVL Up Performance is a multi-tenant platform. Every organization's data is logically isolated at the database level:

  • PostgreSQL Row Level Security (RLS):Every table containing tenant data has RLS policies enforced at the database level. Queries are automatically scoped to the authenticated user's organization, preventing cross-tenant data access even in the event of an application-level bug.
  • Tenant context enforcement: Each API request sets a database-level session variable identifying the current organization. RLS policies reference this variable to filter all queries, ensuring data isolation is enforced by the database engine itself rather than application logic alone.
  • Role-based access control (RBAC):Within each organization, access is further restricted by user role (employee, manager, CEO, admin, HR admin). Managers see only their team's data. Employees see only their own feedback and goals.

Platform Administration Security

Internal platform administration is secured with additional controls:

  • Separate admin authentication: Platform staff access the admin portal through a separate authentication flow with additional verification.
  • Granular admin permissions: Admin roles (support, billing, engineering, etc.) each have specific permission scopes. No single role has unrestricted access to all data and actions.
  • Admin audit logging:All administrative actions (viewing tenant data, modifying subscriptions, accessing support tools) are logged with the admin's identity, timestamp, and action details.

Infrastructure

Our infrastructure is built on enterprise-grade cloud services:

  • Vercel (application hosting):Our Next.js application is deployed on Vercel's edge network, which provides automatic DDoS protection, global CDN distribution, and automatic HTTPS. Vercel's infrastructure runs on AWS and maintains SOC 2 Type II compliance.
  • Supabase (database and auth):Our PostgreSQL database is hosted on Supabase, which provides managed database infrastructure with automatic backups, point-in-time recovery, and encryption at rest. Supabase's infrastructure runs on AWS and maintains SOC 2 Type II compliance.
  • Stripe (payment processing): All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store, process, or transmit credit card numbers on our own servers.
  • Backups: Database backups are performed automatically by Supabase with point-in-time recovery capabilities. Backups are encrypted and stored separately from the primary database.

Incident Response

We maintain processes for detecting and responding to security incidents:

  • Monitoring: We monitor application health, error rates, and authentication anomalies. Automated alerts notify our engineering team of unusual activity.
  • Audit logging: Authentication events, permission changes, sensitive data access, and administrative actions are logged for review and investigation.
  • Response process: In the event of a confirmed security incident, we will investigate and contain the issue, assess the impact, notify affected customers within 72 hours, and provide a post-incident report detailing what happened and what steps were taken.
  • Dependency management: We regularly update application dependencies and monitor for known vulnerabilities in third-party packages.

Compliance

We are committed to meeting regulatory requirements and industry standards:

GDPR

We support GDPR rights including access, rectification, erasure, portability, and the right to object. Data processing agreements are available upon request.

CCPA

California residents can exercise their rights to know, delete, and opt-out. We do not sell personal information.

SOC 2

We rely on the SOC 2 Type II certifications of our infrastructure providers (Vercel, Supabase, Stripe). We are evaluating our own SOC 2 certification timeline.

PCI DSS

Payment card data is handled exclusively by Stripe, a PCI DSS Level 1 certified processor. We do not store or process card numbers.

Security Best Practices for Users

Help us keep your organization's data secure:

  • 1.Use a strong, unique password (minimum 8 characters with a mix of uppercase, lowercase, numbers, and symbols)
  • 2.Enable two-factor authentication for your account
  • 3.Never share your login credentials with others
  • 4.Log out from shared or public computers after use
  • 5.Review your organization's user list regularly and remove access for departing employees promptly
  • 6.Report suspicious activity to support@lvlupperformance.com immediately

Responsible Disclosure

If you discover a security vulnerability in our platform, we encourage responsible disclosure. Please report it to us before disclosing it publicly so we have an opportunity to address it.

Report security issues to:

Email: support@lvlupperformance.com

Please include a description of the vulnerability, steps to reproduce, and the potential impact. We will acknowledge your report within 48 hours and aim to provide an initial assessment within 5 business days. We ask that you allow us reasonable time to investigate and remediate before any public disclosure.

Questions About Security?

If you have questions about our security practices or need to report a concern, we are here to help.

Contact Us