Security & trust

How we protect data and payments

ConsultCraft runs production payments and personal data across SportsCove, enterprise pilots, and the corporate site. We publish practices here; formal certifications follow customer demand.

Status

Controls at a glance

  • TLS / HTTPSLive
  • Payment PCI (processors)Live
  • API rate limitingLive
  • Consent-gated analyticsLive
  • security.txtLive
  • SOC 2 Type IRoadmap
  • Pen test reportRoadmap
  • EU DPAsRoadmap

Payments

  • Stripe and Razorpay process coach payouts — ConsultCraft does not store card numbers.
  • Marketplace fees applied at booking completion with regional take rates documented.
  • Webhook verification and idempotent payment handlers in production.

Data handling

  • Privacy policies per product line — corporate, SportsCove, MechCove, FlowAI.
  • Firebase Analytics for product usage; consent-gated site analytics on consultcraftinc.com.
  • Investor portal and admin routes are password-gated and noindex.

Infrastructure

  • Hosted on Vercel with TLS everywhere; canonical domain redirect from preview URLs.
  • API rate limiting on auth, analytics, media, and investor registry endpoints.
  • Environment secrets managed via platform env vars — never committed to git.

Access control

  • Separate investor and admin auth tokens with idle timeout in portal.
  • Content protection on gated materials; coach media uploads via authenticated API.
  • Robots.txt blocks portal, admin, developers, and API paths from indexing.

Reporting issues

  • security.txt at /.well-known/security.txt
  • Report vulnerabilities to info@consultcraftinc.com
  • SportsCove user support: sc-support@consultcraftinc.com

Roadmap

What comes next

Now

  • Public trust center + security.txt
  • TLS everywhere · API rate limits · env-only secrets
  • Password-gated investor portal with idle timeout
  • Stripe / Razorpay PCI scope stays with processors

Post-Seed (0–6 months)

  • SOC 2 Type I scoping with readiness questionnaire
  • Vendor DPA pack for enterprise FlowAI buyers
  • Quarterly access review for portal and admin roles

Pre-Series A

  • Independent penetration test with remediation report under NDA
  • SOC 2 Type I observation period complete
  • EU data processing agreements for expansion markets