DEUCE

Security Policy

Last Updated: January 5, 2026

Deuce takes the security of our systems and user data seriously. This Security Policy describes the safeguards we use and how to report security issues.

1) Security Principles

We design Deuce with the following principles:

  • Least privilege access to production systems
  • Secure-by-default configurations where possible
  • Minimize collection of sensitive data
  • Monitor for abuse and respond quickly to incidents

2) Encryption

In transit: Data sent between your device and our services is protected using HTTPS (TLS).

At rest: Data stored in our databases and storage providers may be encrypted at rest depending on provider capabilities and configuration.

Note: Deuce uses third-party infrastructure (see "Third-Party Services" below). Their security controls contribute to overall encryption and storage protections.

3) Authentication & Access Control

  • User authentication is handled through an authentication provider (e.g., Clerk).
  • Access to administrative systems is restricted to authorized personnel and protected by strong authentication.
  • We use least-privilege access for production systems where possible.

4) Application & Infrastructure Security

We use a combination of technical and operational controls, which may include:

  • Environment variable / secret management (no hard-coded secrets in the app)
  • Regular dependency updates and patching
  • Logging for operational reliability and abuse detection
  • Rate limiting and abuse prevention controls where applicable

5) Payments (If Offered)

If Deuce offers paid subscriptions or purchases, payment processing is handled by Apple (In-App Purchases) and/or authorized third-party processors. Deuce does not store full payment card information on our servers. We may receive purchase status information (e.g., subscription active/inactive) to provide access.

6) Data Backups & Recovery

We maintain backups and operational safeguards designed to support availability and recovery in the event of service disruption. Backup handling depends on our infrastructure providers and configuration.

7) Vulnerability Reporting (Responsible Disclosure)

If you believe you've found a security vulnerability, please report it to:

Email: courtsidewithisaac@gmail.com

Subject line: "Security Vulnerability Report"

Please include:

  • A clear description of the issue
  • Steps to reproduce (if possible)
  • Impact assessment (what data or systems are affected)
  • Any screenshots/logs that help us confirm the issue

Please do not publicly disclose the vulnerability until we've had a reasonable opportunity to investigate and address it.

Good-faith security research: We will not pursue legal action against researchers who:

  • Act in good faith
  • Avoid privacy violations, data destruction, and service disruption
  • Do not exploit the issue beyond what is necessary to demonstrate it
  • Give us a reasonable time to remediate before public disclosure

8) Security Incident Response

If we confirm a security incident, we work to:

  • Contain and remediate the issue
  • Assess scope and impact
  • Notify affected users when required by law or when appropriate based on risk
  • Implement prevention steps to reduce recurrence

9) Third-Party Services

Deuce relies on third-party providers for core functionality (for example authentication, database/storage, messaging, notifications, and location search). These providers maintain their own security programs and controls. Our key vendors may include:

  • Clerk (authentication)
  • Supabase (database/storage)
  • Stream Chat (messaging)
  • Expo Push Notification Service (push delivery)
  • Google Places API (place search/autocomplete)

10) Updates to This Policy

We may update this Security Policy from time to time. Material changes will be posted on this page with an updated "Last Updated" date.