You're trusting us with two kinds of important information: your customers' personal data (names, emails, phone numbers, photos, throwing history) and your venue's own credentials (your staff login, your booking settings, your branding).
Here's how we protect both, in language you can use to answer your own customers when they ask.
Your customers' passwords are never stored
When a player creates an Arena Tag (their account credential), we don't store the tag in any way that lets us — or anyone else — see it. The same is true for any password they choose. We store a one-way mathematical fingerprint of the password (called a bcrypt hash), and that fingerprint cannot be reversed back into the original password by any practical means.
What this means in practice:
- If somehow our database were stolen tomorrow, the thief would see fingerprints, not passwords. Cracking even a single one takes weeks of dedicated computing time per password.
- We at Arena Master cannot tell you what a player's password is. If they forget it, they recover it through their own email.
- Even our platform super-admin (the highest level of access) cannot read passwords — only reset them.
Your staff password is protected the same way
When you create a venue and set a staff password, that password is hashed before it ever touches our database. Same protections as above:
- Database leak? They get a hash, not your password.
- Forgot it? Use the password change flow (which requires you to enter the current one) — we cannot show you the existing one.
- Want to reset a staff member's password? Generate a new one; we never see the old one.
Logins are protected against guessing
Anyone trying to brute-force their way into your venue's staff account hits a hard wall:
- After 10 failed attempts in 15 minutes, that IP is blocked from trying again for the rest of the window.
- After 5 failed login attempts on a specific player account, that account locks out for 30 minutes.
- We never tell an attacker which usernames exist — every wrong attempt gets the same generic "invalid login" message.
Login sessions are designed to fail safely
When you sign in, we issue a session cookie that's:
- HTTPS-only — never sent over an unencrypted connection
- HttpOnly — invisible to JavaScript (so a cross-site scripting attack can't steal it)
- SameSite-protected — won't ride along with requests from other websites
- Domain-scoped — only works on
*.arenamaster.ca, not on any other site
Sessions expire after 4 hours of inactivity. If you stay active, they keep working. If you walk away from your browser, they quietly time out so a stolen laptop can't keep accessing your venue.
We also rotate the session ID immediately after every successful login, which protects against a class of attacks where a malicious actor pre-sets a session ID and waits for you to authenticate it.
We don't show photos to people who shouldn't see them
Your players' uploaded photos are never shown on public lane displays, scoreboards, leaderboards, or any other venue surface. The only place a player-uploaded photo appears is on their own private "Sports Card" inside their personal portal.
Public displays show display names (which staff have approved) and badge artwork — never selfies. This is a deliberate choice to keep minors and shy adults safe from being broadcast on a TV screen they didn't expect.
Arena Tags stay private — even from your venue
A player's Arena Tag is a 6-character code that works like a password. Per our terms of service:
- You, as a venue, will never see your players' Arena Tags. Not in the admin panel, not in emails, not in approval flows.
- Our database makes it physically impossible — the tag column is excluded from every staff-facing query.
- Players manage their own tags (re-roll, recover by email) from their own portal.
This is a platform-level commitment we treat as legally binding.
Every player has a signed waiver — architecturally enforced
This is unique to Arena Master and worth understanding. Most platforms treat the waiver as a checkbox someone might or might not click before a session. We treat it as the system itself.
Every player who can take part in a session has a digitally signed waiver on file. There is no path through our software that lets you start a lane with a player who hasn't signed. The Arena Tag — the credential a player uses to join their lane — is their signed waiver. You cannot have one without the other.
What this means in practice:
- Walk-up players spend two minutes creating an Arena Tag at the door. That two-minute flow includes the venue waiver.
- Once they're in, every session they join automatically pulls their signed waiver into the session record. You don't have to chase paper.
- If your insurer or your municipality asks for a waiver audit, you can pull every signature from the admin panel with a date range.
Security and legal protection are the same system. We didn't bolt a waiver on top of the app; the app is built around the waiver.
Arena Tag privacy and child protection
Youth sports organisations and parents specifically ask about this. Two relevant facts:
- Player Arena Tags are never visible to venue or league staff. A coach managing a youth team cannot look up a player's Arena Tag. Only the player and Arena Master's platform layer hold it. This is a contractual commitment in our terms of service — it isn't optional or configurable.
- Children under 16 cannot edit their own account. Account changes (name, photo, email, password) flow through their parent or guardian's account. The child's own portal hides the settings interface entirely and the server-side rejects edit requests from minor sessions even if someone tried to manipulate the URL.
Together these address the privacy concerns under PIPEDA (Canada's private-sector privacy law) and the typical concerns of school boards, municipalities, and youth league organisations evaluating a platform for under-16 use.
Built and hosted in Canada
Arena Master is built and hosted in Canada. Your data stays in Canada. We do not store player or venue data on US-based servers, which simplifies compliance with provincial municipality and school-board procurement rules that often require Canadian data residency.
We've done the audit work
In May 2026, we ran a full security audit of the platform against the OWASP Top 10 (the industry-standard checklist of the most common web application vulnerabilities). Findings were prioritized and addressed in batches. Public summary:
- Every CRITICAL finding was fixed.
- Every HIGH finding was either fixed or clarified as a false alarm.
- Of the 10 MEDIUM findings, 9 were fixed and 1 was deemed unnecessary.
- All 5 LOW findings were addressed.
- 3 items were deferred to a planned post-launch hardening pass — all three are infrastructure projects (e.g., Content Security Policy rollout) that need careful staged rollouts rather than rushed patches.
We don't claim "perfect security" — anyone who does is selling you something. We claim honest professional security: industry-standard protections, applied consistently, with a documented audit trail and a willingness to talk plainly about what we do and don't do.
What we don't claim
To keep this document honest:
- We are not certified PCI-DSS, SOC 2, or HIPAA-compliant. We don't process credit card data directly (your payment processor does); we don't handle medical data; we're a small platform without enterprise audit budgets.
- We have not had a third-party penetration test by a paid security firm. The audit referenced above was an internal one with high rigor, but it's not the same thing as hiring an external red team. When the platform grows enough to justify it, we will.
- Like every web application, our security depends partly on you using strong passwords and not sharing your staff login. We will not stop a determined social-engineer who tricks you into typing your password into a fake page.
Your data is backed up
The full database is backed up every 6 hours. We retain the most recent 14 backups (a rolling 3.5-day window). Backups live on the same infrastructure as the live system. We are working on adding off-site backup as a separate hardening item (planned for May 2026).
How to reach us
If you have any security concern — a suspected breach, a strange email, a question about how a specific feature handles data — email us at [email protected]. We respond personally, not via a ticketing system, and we treat security questions as the highest priority in the inbox.
Honest professional security. Industry-standard protections, applied consistently, with a documented audit trail.