Built to keep your members’ data safe.
ClubMogo handles personal data for thousands of members across the facilities we serve. Here’s how we protect it, what we comply with today, and where we’re headed.
How we protect data
Encryption everywhere
TLS 1.2+ for every request in transit. AES-256 at rest in our managed Postgres. Secrets stored in Vercel's encrypted env layer; never in source.
India-region data residency
Production data lives in a Mumbai-region Supabase Postgres cluster. We don't replicate to overseas regions.
Row-level security (RLS)
Every public-schema table has RLS enabled. A staff JWT cannot read another facility's rows — enforced at the database layer, not just the application.
Authentication you control
Supabase Auth with email + OAuth (Google). Member accounts use magic-link login by default. Staff accounts use full email + password with optional MFA roadmap.
Audit logging
Member edits, refunds, role changes, deletions — anything material to operations or compliance is logged with actor, timestamp, and before/after state.
DPDPA 2023 compliant
Right of access, right to erasure, right to data portability — members can export or delete their own data from the mobile app or web /privacy controls page. Grievance redressal contact on the Privacy Policy.
Transparency
Our sub-processors
The vendors we share data with to operate the service. We sign data-processing agreements with each.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (AWS Mumbai) | Database, auth, file storage | India (ap-south-1) |
| Vercel | Web app hosting, edge network | Global (primary: ap-south-1) |
| Razorpay | Payments, GST invoicing | India |
| Sentry | Error tracking and performance | EU |
| PostHog | Product analytics | EU |
| WhatsApp Business API | Member messaging | Global (Meta) |
| Resend | Transactional email | EU / US |
| OpenAI / Anthropic | AI assistant — only when AI features are enabled | US |
Roadmap
Certifications
ClubMogo today operates against DPDPA 2023 and follows GDPR-style data-subject controls. We are not yet SOC 2 or ISO 27001 certified — these are on the roadmap for the year ahead and we’re happy to share progress with prospective enterprise customers under NDA.
If you need a security questionnaire filled in or a specific compliance attestation, email security@clubmogo.com and we’ll get back the same business day.
Responsible disclosure
Found a vulnerability? Please tell us — we appreciate the heads-up and won’t pursue legal action against good-faith researchers who follow this policy.
- Email security@clubmogo.com with a clear description and reproduction steps.
- Give us a reasonable window to fix before public disclosure.
- Don’t access more data than needed to prove the bug.