Trust & security

Built for the UK gym estate.
Hardened for procurement.

Every customer's data is encrypted, audited, and ring-fenced. Below is the stack of controls, posture and proof-points your security team will ask for. No marketing fluff.

All systems operational· checked 15:51

Our security pillars

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Backups encrypted with rotated keys held in a separate region.

Tenant isolation

Every collection scoped by organisation id. Defense-in-depth at the API + database + audit layers.

Least privilege

Role-based access, MFA for admins, brute-force lockouts and full audit trail of every elevated action.

Observability

Sentry SDK on backend + frontend. Failed-login + integration drift triggers a trust event in real time.

Controls coverage

What your security team will tick off in a typical procurement questionnaire. Colour-coded by current implementation status.

TLS 1.3

All traffic encrypted in transit. HSTS preload.

Live

AES-256 at rest

MongoDB Atlas + S3 storage encryption.

Live

Multi-factor authentication

TOTP enforced for all master admin accounts.

Live

Immutable audit log

Every login, billing change, and config edit recorded.

Live

Brute-force lockout

5-attempt lockout, sliding window, trust-event escalation.

Live

Strict CSP + security headers

No `unsafe-eval`, frame-ancestors none, X-Content-Type-Options.

Live

Per-route rate limiting

Sliding-window limits on auth + write paths.

Live

Real-time error monitoring

Sentry instrumentation across backend + frontend.

Live

PII minimisation

Customer data scoped, retention policies enforced.

Live

Data Processing Agreement

GDPR-aligned DPA template available on request.

Live

Annual penetration test

Third-party offensive security review.

Roadmap

SOC 2 Type II report

Audit window opens Q3 2026.

Roadmap

Compliance & legal

UK GDPR

Compliant

Personal data minimisation by design
Right-to-erasure implemented (per-org)
Data Processing Agreement available on request

SOC 2 Type II

In progress

Internal controls documented
External audit Q3 2026
Trust Services Criteria mapped

ISO 27001

Roadmap

Risk assessment complete
ISMS framework drafted
Cert audit FY27

Sub-processors

Third parties that may process customer data on our behalf, with their hosting region. We notify customers 30 days before adding any new sub-processor.

Service	Purpose	Region
MongoDB Atlas	Primary database	EU (eu-west)
AWS S3	Object storage (uploads, exports)	EU (eu-west)
Stripe	Payment processing	UK / EU
Resend	Transactional email	EU
Sentry	Error monitoring	EU
Anthropic / Google / OpenAI	LLM inference (opt-in)	EU / US

Need a security questionnaire, DPA, or pen-test report?

Email security@gymaxisai.com — we usually respond within one UK working day. Existing customers can also raise a request from the Master Admin → Security tab.

Contact security Privacy policy

We use essential cookies to keep you signed in and provide core functionality. We do not use tracking or advertising cookies. Privacy Policy