Security & Sub-processors
ChapterOps takes student data seriously. This page describes how we protect your data and who else touches it.
Sub-processors
We share data only with the vendors listed below, strictly to provide the ChapterOps service. We do not sell data.
| Vendor | Purpose | Data flowing |
|---|---|---|
| Vercel | Hosting / CDN | All request/response traffic (including student data in-flight) Vercel processes every request passing through ChapterOps, including those containing student data in request/response bodies. Vercel does not persist student data beyond standard server log retention (typically 30 days). Vercel holds SOC 2 Type II certification. |
| Supabase | Database, Auth, File Storage | All chapter data, uploaded files (permission slips, member photos) |
| Stripe | Payment processing | Parent payment info, transaction metadata Only used when chapters enable online trip payments. Stripe processes card details directly — ChapterOps receives payment status only. |
| Twilio | SMS delivery | Phone numbers, message bodies Only sent after explicit TCPA opt-in by the recipient. |
| Resend | Transactional email | Email addresses, message bodies |
| Sentry | Error tracking and performance monitoring | Stack traces, request metadata PII scrubbing will be enabled before the first paying customer. During free pilot, stack traces may include request URLs but not user content. |
| Anthropic | AI-assisted CSV column mapping | Column headers and up to 3 sample values per ambiguous column Opt-in per chapter. Enabled only for the CSV import feature. Column headers and sample values are sent — not full roster data. No PII unless column headers themselves contain PII (they typically do not). |
How data is protected
Encryption at rest
Supabase encrypts all data at rest by default (AES-256). Sensitive medical and eligibility notes (eligibility_notes and medical_notes) are encrypted at the application layer using AES-256-GCM when the operator has configured an encryption key. We will not enable production access for any chapter without confirming the key is set. Full key rotation management is a planned enhancement.
Encryption in transit
All connections to ChapterOps use TLS. There are no unencrypted data paths.
Two-factor authentication
2FA is available for all advisor accounts via app-based TOTP (Settings → Security). We recommend all advisors enable it.
Per-chapter data isolation
Every database query is scoped to the advisor's chapter via row-level security (RLS) enforced at the database layer. An advisor or member from one chapter cannot read another chapter's data even if they guess the URL.
Audit log
All privileged data access — roster exports, eligibility note views, year rollovers, ownership transfers — is recorded in an immutable audit log. Advisors can view their chapter's audit history in settings.
Health field access control
Allergies, dietary restrictions, medical notes, and member photos are visible only to: the advisor, the member themselves, and chaperones during a shared trip. Officers — even those with full roster access — cannot see health or medical fields.
Security disclosures
If you discover a security vulnerability in ChapterOps, please email security@chapterops.com with a description of the issue. We will acknowledge within 48 hours and work to resolve confirmed vulnerabilities promptly. Please do not disclose publicly until we have had a chance to address the issue.
Sub-processor compliance
We verify that each sub-processor holds current compliance certifications relevant to student data. Summary of known certifications:
| Vendor | Certifications |
|---|---|
| Vercel | SOC 2 Type II, GDPR DPA available |
| Supabase | SOC 2 Type II, GDPR DPA available, HIPAA-eligible infrastructure |
| Stripe | PCI DSS Level 1 Service Provider, SOC 2 Type II |
| Twilio | ISO 27001, SOC 2 Type II, GDPR DPA available |
| Resend | SOC 2 Type II (in progress as of 2026), GDPR DPA available |
| Sentry | SOC 2 Type II, GDPR DPA available |
| Anthropic | SOC 2 Type II, GDPR DPA available. API inputs are not used for model training per Anthropic's standard API terms. |
Does your district require a DPA?
Many districts require a Data Processing Agreement before permitting third-party tools that handle student data. We have a template ready.
Download our DPA template