Last updated: June 17, 2026
Trust Center
A concise hub for ScrambleSync's security posture, compliance documents, subprocessors, and data-handling practices — stated honestly.
Overview
ScrambleSync is golf scramble tournament software operated by Coyote Valley Technology Solutions, LLC. We act as a data processor on behalf of tournament organizers, host on United States infrastructure, and do not sell data or use it to train AI models. Organizer access is protected by multi-factor authentication (MFA), tenant data is isolated through database row-level security (RLS), and the database is protected by automated daily backups. The sections below summarize our documents, subprocessors, security-review status, backups and recovery, incident contact, and AI controls.
Documents
Our full legal and compliance documents:
Subprocessors
ScrambleSync engages the following subprocessors to provide the service (matching the DPA §8 list). The optional AI assistant subprocessor is engaged only when enabled and in use.
- Supabase (AWS, us-west-1) — database, authentication, and storage.
- Stripe — payments. Handles all card data directly (PCI-DSS Level 1; ScrambleSync is SAQ-A).
- Resend — transactional email.
- Cloudflare — CDN, DNS, and DDoS protection.
- Sentry — error monitoring.
- Upstash — rate-limit state.
- DigitalOcean — hosting and logs.
- Anthropic — optional AI assistant (off by default; engaged only when enabled and in use).
For full subprocessor details, data categories, and the 30-day change-notice process, see the Data Processing Agreement.
Security review status
Stated honestly:
- Security controls are enforced in code and in CI, not by manual policy alone.
- Automated cross-tenant isolation tests verify that one organizer cannot access another organizer's data.
- Dependency scanning gates merges (high-severity vulnerabilities block CI).
- No third-party penetration test has been performed (planned).
- No SOC 2, ISO 27001, or PCI-DSS Level 1 certification. Our PCI scope is Stripe SAQ-A — card data is handled entirely by Stripe and never touches ScrambleSync.
Backups & recovery
Stated honestly:
- Automated daily backups of the managed database.
- RPO ~24 hours; RTO target ~4 hours.
- Point-in-time recovery (PITR) is available from the database provider but is not currently enabled (planned).
- Periodic restore tests are not yet performed (planned).
Incident contact
Report a suspected security incident to:
- Email: [email protected]
For breaches affecting customer data, our target is to notify affected customers within 72 hours of becoming aware, in line with the Data Processing Agreement §11.
AI controls
The optional Scramble AI assistant is off by default and, when enabled, is:
- No-training — inputs and outputs are not used to train any AI model;
- Organization-scoped — it can only access the enabling organization's own data;
- Confirm-before-change — live-day actions require the organizer's explicit confirmation;
- Auditable — actions are recorded in the audit trail; and
- Disableable — it can be turned off per organization at any time.
For full detail, see AI & Your Data.