Security is not a feature. It's the foundation.
AVILA Base is built from the ground up to support GDPR, Bokföringslagen (Swedish Accounting Act), PCI-DSS via Stripe, and is designed to align with SOC 2 Type II and ISO 27001 standards. We treat club data with the same care and respect you show your athletes.
GDPR compliance by design
Explicit consent at signup and parental consent flows for minors. Members can export their data or request deletion in one click. Strict data minimization is applied at every layer.
Advanced access control (RLS)
Row-Level Security on every table with a default-deny policy. A coach cannot see another team's data, a parent cannot see another family, and clubs are completely isolated. Enforced in PostgreSQL, not the UI.
AES-256-GCM encryption
Sensitive personal data (personnummer) is encrypted at rest using AES-256-GCM. Decryption happens only within a secure edge function with strict role-based access control.
Secure transactions via Stripe
Your club never handles or stores sensitive card details. Card data flows directly from the payer to Stripe (PCI-DSS compliant), and payouts settle directly to your club's bank account.
Bokföringslagen compliance
Financial records are never deleted from the database – they can only be cancelled or credited. The full 7-year audit trail required by Swedish law is preserved by design.
Complete multi-club isolation
Multi-tenant from day one with independent roles and permissions per club. Even if members belong to multiple clubs, their data is kept strictly isolated at the row level.
Engineering practices we don't compromise on.
- Database-level security policies (default-deny RLS)
- Private file storage with temporary, signed URLs
- SVG sanitization to prevent cross-site scripting (XSS) on file uploads
- Leaked-password protection during signup
- Atomic database transactions preventing double-booking
- Audit-friendly soft-deletes on all financial data
- Strict server-side input validation (Zod)
- Continuous logging and real-time system monitoring
Financial records are never hard-deleted. Only cancelled or refunded. The full 7-year audit trail Bokföringslagen requires is preserved by design.
