Security

Protocol · 2026

Security that does the work.

Field-level encryption, role-based access, and audit logging — the primitives behind every screen in Enkelt.ai.

Field-level encryption

Sensitive fields are encrypted before they hit the database.

Phone numbers, passport details, salary terms, and payout accounts are encrypted with AES-256-GCM and a per-record IV. Plaintext never lives at rest — not in backups, not in logs, not in support tools.

AES-256-GCM

at rest

Phone & emergency contact●●●●●●●●enc

Passport & ID numbers●●●●●●●●enc

Salary & contract terms●●●●●●●●enc

Payout & bank details●●●●●●●●enc

256-bit key · authenticated encryption · unique IV per record

Platform primitives

Built-in controls — not bolt-on add-ons.

Every action a coach, manager, or player can take passes through the same auth, audit, and rate-limit layer.

Six-level role hierarchy

Owner, general manager, manager, coach, analyst, player. Fine-grained permissions plus wildcard scopes mean every screen only renders what the role is cleared to see.

Audit log on sensitive ops

Contract edits, salary changes, role grants, and exports are appended to an immutable audit trail with timestamp and actor identity.

Rate limiting on every endpoint

Public and authenticated API routes are guarded by per-key and per-IP limits to absorb abuse without degrading the rest of the platform.

API credential vault

Third-party API keys (Riot, FaceIT, Steam, PandaScore) are encrypted at rest with a separate envelope key, never returned in API responses.

Signed webhook verification

Inbound webhooks from Clerk (Svix) and Stripe are signature-verified on every request, with replay-protection tracking so retried events run exactly once.

Read-only admin impersonation

Platform admins can step into an organization to investigate issues, but every mutation is blocked while impersonating. Audit log captures who, when, and why.

Your data rights

GDPR is a baseline, not a feature.

Enkelt.ai is built in Norway. Your team's data is yours — export it, retain it, or remove it, on your schedule.

GDPR-aligned by design

We sign a Data Processing Agreement with every organization and process player data under documented lawful bases. The DPA is published — no NDA required.

Self-serve data export

Export everything your organization stores — rosters, contracts, scrim history, finance ledger — as structured files on demand.

Defined retention windows

Each data class has a documented retention window with scheduled cleanup. Cancel your subscription and your data is removed on the published schedule.

Parental consent for minors

Players under the age of legal consent require a verified guardian record before profile data, contracts, or contact details are accepted.

Documents

Read the legal stack.

Everything that governs how we handle your data lives at a stable URL.

What we collect, why, and how long we keep it.

Read

Data Processing Agreement

The processor-side contract for your team's data.

Read

The rules of the road for using Enkelt.ai.

Read

Cookie Policy

Cookies and similar tracking we use.

Read

Questions about security?

Email our team for the specifics — DPA, sub-processors, encryption design, incident response.

Email security@enkelt.ai

Security

Protocol · 2026

Security that does the work.

Field-level encryption, role-based access, and audit logging — the primitives behind every screen in Enkelt.ai.

Field-level encryption

Sensitive fields are encrypted before they hit the database.

AES-256-GCM

at rest

Phone & emergency contact●●●●●●●●enc

Passport & ID numbers●●●●●●●●enc

Salary & contract terms●●●●●●●●enc

Payout & bank details●●●●●●●●enc

256-bit key · authenticated encryption · unique IV per record

Platform primitives

Built-in controls — not bolt-on add-ons.

Every action a coach, manager, or player can take passes through the same auth, audit, and rate-limit layer.

Six-level role hierarchy

Owner, general manager, manager, coach, analyst, player. Fine-grained permissions plus wildcard scopes mean every screen only renders what the role is cleared to see.

Audit log on sensitive ops

Contract edits, salary changes, role grants, and exports are appended to an immutable audit trail with timestamp and actor identity.

Rate limiting on every endpoint

Public and authenticated API routes are guarded by per-key and per-IP limits to absorb abuse without degrading the rest of the platform.

API credential vault

Third-party API keys (Riot, FaceIT, Steam, PandaScore) are encrypted at rest with a separate envelope key, never returned in API responses.

Signed webhook verification

Inbound webhooks from Clerk (Svix) and Stripe are signature-verified on every request, with replay-protection tracking so retried events run exactly once.

Read-only admin impersonation

Platform admins can step into an organization to investigate issues, but every mutation is blocked while impersonating. Audit log captures who, when, and why.

Your data rights

GDPR is a baseline, not a feature.

Enkelt.ai is built in Norway. Your team's data is yours — export it, retain it, or remove it, on your schedule.

GDPR-aligned by design

We sign a Data Processing Agreement with every organization and process player data under documented lawful bases. The DPA is published — no NDA required.

Self-serve data export

Export everything your organization stores — rosters, contracts, scrim history, finance ledger — as structured files on demand.

Defined retention windows

Each data class has a documented retention window with scheduled cleanup. Cancel your subscription and your data is removed on the published schedule.

Parental consent for minors

Players under the age of legal consent require a verified guardian record before profile data, contracts, or contact details are accepted.

Documents

Read the legal stack.

Everything that governs how we handle your data lives at a stable URL.

What we collect, why, and how long we keep it.

Read

Data Processing Agreement

The processor-side contract for your team's data.

Read

The rules of the road for using Enkelt.ai.

Read

Cookie Policy

Cookies and similar tracking we use.

Read

Questions about security?

Email our team for the specifics — DPA, sub-processors, encryption design, incident response.

Email security@enkelt.ai