Built for operators
who can't afford a breach.
GymAxis runs your members' payment data, your staff personal information, and your operational decisions. Here is how we protect them.
Latest hardening pass
May 2026
Our defence
Six pillars. Continually verified.
Authentication & sessions
Rotated JWT secret with cryptographic strength, HttpOnly cookies, password reset rate-limits, and brute-force protection on every auth endpoint.
Encryption everywhere
TLS 1.3 in transit, AES-256 at rest. Fernet field-level encryption for integration secrets. Stripe handles PCI scope; we never see raw card numbers.
IDOR-tested endpoints
Every operator endpoint filters by the caller's organisation_id before any read or write. Cross-tenant access returns 404 (never 403) so attackers can't enumerate IDs by status code. Regression-tested on every deploy.
Tamper-evident audit log
Append-only master-admin audit trail with CSV export, dedicated impersonation + export event streams, and hash-chain verification — evidence-grade for SOC 2 and pentests.
Hardened infrastructure
Strict CSP, security headers, SSRF allow-list with IMDS + DNS-rebind guards, AV scanning on uploads (ClamAV + static-signature), and dependency CVE auditing on every release.
Responsible disclosure
Published security.txt with a canonical contact, expiry date and 90-day safe-harbour. Researchers welcome; we acknowledge within 24 hours.
Latest hardening
What we shipped this quarter.
Security is a release item, not a marketing tagline. Every quarter we publish what we hardened, what we audited, and what changed.
- Pen-test ready — 7 hardening waves landed (auth, AI guardrails, web scrubbers, SSRF, AV, audit hygiene, sandbox tenant).
- AI prompt-injection guardrails on every LLM round-trip (OWASP LLM01–10) — per-tenant token budgets, jailbreak detection, output sanitisation.
- JWT_SECRET rotated to a 64-hex cryptographically random value. Role-tiered access TTLs; MFA enforceable on every master-admin route.
- Rate-limits on every auth + money endpoint (login, register, top-up, auto-pay, public demo-request).
- Stripe webhook hard-requires STRIPE_WEBHOOK_SECRET in production; idempotency keys on every event.
- Global 500 handler — never leaks raw exception details to the client. /api/health returns "ok" only (no version / build / commit info).
- CORS pinned per-environment; "*" disallowed in production. HSTS preload-ready.
- /.well-known/security.txt published with a 12-month expiry and rolling refresh.
- GDPR Art. 17 erasure workflow with 30-day cooling-off; gdpr_erased rows excluded from operator lists + AI RAG contexts.
Trust posture
Read the contracts, not the pitch.
Every commitment on this page is written down. Procurement and security teams can review the legal posture before talking to us.
Responsible disclosure
Found something?
Email us. We acknowledge within 24 hours and patch within the SLA on our security.txt. Researchers acting in good faith are covered by our safe-harbour clause.
Run a fitness business that takes security seriously.
14-day free trial. Pentest-evidence pack available on request for enterprise plans.