Trust, by design.

A five-tier enforcement system, not a single moderator queue.

Every post, comment, and DM is screened by an AI safety layer before it is posted — not after a report. The model is tuned to high-school athletics, recognizes coaching language, and treats explicit harassment differently from competitive trash talk. Five enforcement tiers handle the range:

• Tier 1 — Coaching moment: a private nudge to the author, no public action
• Tier 2 — Edit requested: the post is held until reworded
• Tier 3 — Temporary mute: 24-72 hour writing pause, the user retains read access
• Tier 4 — Account restriction: 7-30 days, parent + athlete notified, severity logged
• Tier 5 — Permanent ban: identity tied to verification chain so the account cannot return

Every recruiter is verified. Every athlete is endorsed.

College recruiters sign up with an institutional email and confirm a 6-digit code before they can send a single message. Once verified, the ScoutStreak Verified bolt appears next to their name — search results, message threads, camp invitations, profile views. Re-verification runs annually as staff move between programs.

• Recruiters: institutional-email + 6-digit code + annual re-verification
• Athletes: high school coach endorses the roster spot + class year before the profile is published
• Consultants: third-party background check is required to work with minors
• Parents: parent identity tied to the athlete via a linked-account flow with explicit athlete approval

COPPA-compliant by architecture, not paperwork.

Under-13 accounts run on a separate stack with verifiable parent consent required before any data collection. Even on the standard stack, every new contact attempt against a minor requires explicit parent approval before the athlete can respond. Unverified accounts cannot DM minors under any condition.

• Under-13: verifiable parent consent before account creation, limited data collection
• 13-17: parent linked-account required, every new contact gated through parent approval
• Verified college recruiters can be allow-listed by parents on a per-program basis
• Coach DMs with the athlete's own coach can be auto-approved at the parent's discretion
• No targeted ads, no behavioral profiles sold to third parties, no minor data ever leaves the platform for marketing

We refuse to send a non-compliant message.

Most platforms document violations after the fact. ScoutStreak enforces NCAA contact windows, division rules, and recruiting periods at the moment of outreach. If a recruiter tries to DM a sophomore during a quiet period, the platform stops them — not a compliance review six weeks later.

• Contact windows, division rules, and recruiting periods enforced at send-time
• Per-prospect contact counters tracked automatically across the recruiter cap
• Every action exported to a single audit-trail PDF for the compliance officer
• Per-division rule configs maintained continuously as the NCAA updates them
• Recruiter accounts re-verified each year to confirm institutional employment

No grades. No transcripts. No FERPA records.

ScoutStreak does not store, transmit, or display FERPA-protected educational records. We collect what an athlete chooses to publish on their public recruiting profile — GPA range, test scores if shared, and academic accomplishments the athlete or parent inputs. We do not pull from school information systems. If a coach wants to attach a transcript, the document is held only as an inert PDF on the athlete's account; ScoutStreak never reads or indexes the content.

Stored, scoped, and never sold.

What we store, what we do not store, and how long we keep it — spelled out in the privacy policy and recapped here. We make money on coach, recruiter, and consultant subscriptions; the families are not the product.

• Stored: profile content, recaps, endorsements, messages, behavioral graph signals (views, saves, contacts)
• Not stored: payment card numbers (Stripe holds those), school information system records, transcripts read/indexed
• Retention: active account data retained while the account is active; 12 months post-graduation if uncommitted; permanent showcase card once committed
• Export: every athlete can download their data from Settings → Privacy → Export at any time
• Delete: account deletion erases personal data within 30 days; aggregated anonymous signals (sport-level percentile distributions) may persist

AES-256 at rest. TLS 1.3 in transit.

All data at rest is encrypted with AES-256 in the managed Postgres layer. All data in transit uses TLS 1.3 between client, edge, and origin. Secrets are managed in encrypted environment variables on the deploy platforms with rotation logged. Database credentials are rotated quarterly; long-lived API tokens are not used.

Every action is logged.

Audit logs cover endorsement workflows, recruiter outreach, contact-window enforcement decisions, parent approval events, account-status transitions, and content-moderation tier actions. Logs are tamper-evident, append-only, and exportable to PDF for compliance officers or athletic directors on demand. Retention is 7 years for compliance-sensitive events and 13 months for everything else.

US-region. Reputable vendors only.

Marketing site runs on Cloudflare Workers (edge). The console runs on Vercel (US-East). The database runs on Neon Postgres (US-East). Cron and background jobs run on the console deployment with per-job isolation. No third-party SDKs ship in the production client bundle except Clerk (auth) and Stripe (payments) — both with documented enterprise SLAs.

SOC 2 Type II on the way.

SOC 2 Type II audit kicks off Q3 2026 in parallel with the public mobile launch. ISO 27001 follow-on planned for 2027. Annual third-party penetration testing begins at general availability. EU data residency is on the long-tail roadmap and will be evaluated when European user demand justifies the regional infrastructure.

• SOC 2 Type II audit: kickoff Q3 2026
• Annual third-party penetration testing: starts at GA
• ISO 27001: planned 2027
• EU data residency: evaluated post-launch

Found a vulnerability? We want to hear it.

Email security@scoutstreak.com with a description and reproduction steps. We acknowledge reports within two business days and aim to triage within five. Responsible-disclosure submissions receive credit in the public security acknowledgments page (with your permission). A formal bug bounty launches alongside SOC 2; until then, every confirmed report is welcome and answered personally.