Cavaliq

Legal

Security overview

Effective:
17 May 2026
Last updated:
17 May 2026

In short: We protect your data with TLS everywhere, field-level encryption for medical data, application-layer tenant isolation, multi-factor sign-in, per-request audit logging, and a documented incident response process. We never see card numbers.

Security is foundational to running a club platform that holds medical notes, payment records, and operational data about minors. This page is a plain-English summary of the technical and organisational measures we use to protect that data. The same measures are committed contractually in our Data Processing Addendum.

1. Data in transit

  • All connections use TLS 1.2 or higher.
  • HSTS is enforced on cavaliq.com.
  • Strict Content Security Policy with per-request nonces on every HTML response, plus strict-dynamic on modern browsers.
  • Same-origin, allow-list-only CORS policy for cross-site API calls. Webhooks are signature- verified.

2. Data at rest

  • The production database is encrypted at rest by Neon.
  • Sensitive medical fields (rider medical notes; horse veterinary diagnosis and treatment) are additionally encrypted at the application layer before they reach the database, so a read on the storage layer alone returns ciphertext.
  • Backups are encrypted with the same standard.

3. Authentication and access

  • Sign-in is handled by Clerk, our identity provider. Clerk supports multi-factor authentication, social sign-in, and short-lived session tokens with rotation.
  • Inside the platform, every action is gated by a role-based permission check. Roles are documented in the platform Settings > Members section.
  • Cavaliq staff who need production access use unique accounts protected by multi-factor authentication. Access is logged and reviewed periodically.

4. Tenant isolation

Cavaliq is a multi-tenant platform: many Clubs share the same database for cost and performance reasons. Tenant isolation is enforced in the application layer: every database query carries the current Club’s identifier as a scope, and our test suite verifies that one Club cannot read another Club’s data.

5. Audit logging

Every request that mutates Club Data — and most read operations on sensitive data — is recorded in an audit log with the actor, action, resource, time, and request ID. Logs are retained for at least 12 months and longer for incidents under investigation. They are also the “audit trail of last resort” in the event of a dispute or investigation.

6. Payments and PCI scope

Cavaliq never sees full card numbers. Card data flows directly from the rider’s browser to the Club’s connected payment processor (Stripe, Ziina, or N-Genius). We receive only tokens and references. Our scope under PCI-DSS is SAQ-A.

7. Network and infrastructure

  • The application runs on Cloudflare Workers, with strict outbound allow-listing.
  • Rate limiting and bot protection are applied at the edge. Rules are tuned to absorb common abuse patterns without affecting legitimate traffic.
  • The database is on Neon, with point-in-time recovery and routine restore drills.
  • Object storage uses Cloudflare R2 with private-by-default buckets and signed URLs for upload and download.

8. People and process

  • All staff and contractors are bound by written confidentiality obligations.
  • We use the principle of least privilege when granting access to production systems.
  • Access is reviewed periodically and revoked when no longer needed.
  • Dependency vulnerabilities are scanned automatically and triaged on a documented cadence.

9. Incident response

Cavaliq has a documented incident response process. On detecting an incident we:

  1. Triage and contain the issue;
  2. Investigate the root cause and the scope of any data affected;
  3. Remediate;
  4. Notify affected Clubs without undue delay, and within 72 hours when applicable law requires;
  5. Run a post-incident review and publish a written summary to affected Clubs.

Read the breach-notification commitments in section 8 of the DPA.

10. Responsible disclosure

If you believe you’ve found a security issue with Cavaliq, please report it to info@cavaliq.com. We commit to:

  • Acknowledging your report within 2 business days;
  • Working with you to understand and fix the issue;
  • Not pursuing legal action against good-faith researchers who follow the guidelines in our security.txt file.

11. Compliance roadmap

Cavaliq is designed to meet UAE PDPL, GDPR, and Saudi PDPL operational requirements today. Formal third-party attestations (SOC 2 Type I, then Type II; ISO 27001) are on our roadmap as we scale.