Skip to main content
NILmetrics

Security

How we protect your data

Infrastructure

Enterprise-grade hosting with encryption at every layer.

  • Hosted on Vercel's edge network with automatic scaling and DDoS protection.
  • Database powered by Neon PostgreSQL with encryption at rest (AES-256) and in transit (TLS 1.3).
  • All traffic served over HTTPS with strict transport security headers.

Authentication

Secure identity management built on proven standards.

  • Auth.js (NextAuth) for standards-based authentication flows.
  • Passwords hashed with bcrypt using industry-recommended cost factors.
  • JWT-based sessions with secure, HTTP-only cookies and automatic expiration.

Data Access

Granular controls to ensure the right people see the right data.

  • Role-based access control (RBAC) with distinct permission levels per organization.
  • No shared credentials — every user has their own authenticated identity.
  • Audit-ready access patterns with structured logging.

API Security

Hardened API layer with defense-in-depth protections.

  • Rate limiting deployed to prevent abuse and ensure fair usage.
  • CORS configured to restrict cross-origin requests to authorized domains.
  • Input validation and parameterized queries to prevent injection attacks.

Data Sources

All external data obtained through legitimate, licensed channels.

  • Commercially licensed sports data APIs with proper usage agreements.
  • No web scraping, no unauthorized data collection.
  • Third-party data providers vetted for security and compliance practices.

Reporting Vulnerabilities

We take security reports seriously and respond promptly.

  • If you discover a potential security vulnerability, please report it through our contact form.
  • We aim to acknowledge reports within 48 hours and provide resolution timelines.
  • We appreciate responsible disclosure and will credit reporters where appropriate.
Report a vulnerability →

Compliance

Working toward industry standards.

NILmetrics is building with compliance in mind from day one. Our platform is designed with SOC 2 awareness principles — including data isolation, access controls, and audit logging — as we work toward formal certification.

We follow GDPR-aware design practices including data minimization, purpose limitation, and providing users with access, correction, and deletion rights for their personal data.