Security is not a feature. It's the foundation.
AVILA Base is architected to support GDPR, Bokföringslagen, PCI DSS via Stripe, SOC 2 Type II and ISO 27001. We treat club data the way clubs treat their athletes, with care.
GDPR by design
Explicit consent at signup. Parental consent flows for minors. Full data export and Right to Erasure available to members in one click. Strict data minimization at every layer.
Row-Level Security on every table
Default-deny. Nothing exposed unless explicitly whitelisted. A coach cannot see another team's data. A parent cannot see another family. A club cannot see another club. Enforced in PostgreSQL, not the UI.
AES-256-GCM personnummer
Personnummer is encrypted at rest. Decryption happens only inside a secure edge function with a role check. Treated like the sensitive data it is.
Secure payment via Stripe
Your club never touches a card number. Card data flows directly from the payer to Stripe, never through AVILA Base. Stripe Connect settles funds straight to your club's account.
Bokföringslagen retention
Financial records are never hard-deleted: only cancelled or refunded. The full 7-year audit trail Bokföringslagen requires is preserved by design.
Multi-club isolation
Multi-tenant from day one. Per-club roles assigned independently. Members can belong to multiple clubs; each tenancy is isolated at the row level.
Engineering practices we don't compromise on.
- Default-deny RLS policies
- Private file storage with signed URLs
- SVG sanitization against upload XSS
- Leaked-password protection at signup
- Atomic operations preventing double-booking
- Audit-friendly soft-deletes on financials
- Strict input validation server-side (Zod)
- Continuous logging and monitoring
Financial records are never hard-deleted. Only cancelled or refunded. The full 7-year audit trail Bokföringslagen requires is preserved by design.