Security Policy
WedgeWoodAI Golf Club Management System
Last updated: 20 June 2026
1. Our Commitment
WedgeWoodAI takes the security of the GCMS National Platform and the data of all enrolled golf clubs, members, and administrators seriously. This policy outlines the technical and organizational measures we implement to protect your data against unauthorized access, loss, alteration, or disclosure.
2. Authentication & Access Controls
Password Security
All passwords are hashed using bcrypt with a cost factor of 12. Passwords are never stored in plain text. Minimum 8-character requirement is enforced at registration, with a 128-character maximum to prevent denial-of-service via excessive hashing.
Two-Factor Authentication (2FA)
TOTP-based two-factor authentication is available for all accounts using authenticator apps (Google Authenticator, Authy, etc.). 2FA codes use a strict 1-window tolerance.
Brute-Force Protection
All authentication endpoints enforce rate limiting — accounts are temporarily locked after 5 failed login attempts for 15 minutes. This applies to password verification, 2FA code verification, and credential checking endpoints.
Bot Protection
Cloudflare Turnstile integration is available for CAPTCHA-based bot protection on authentication flows. When configured, all requests are verified server-side before processing.
Google SSO
Secure OAuth 2.0 integration with Google Sign-In. Account linking protections prevent unauthorized email takeover via third-party SSO providers.
3. Role-Based Access Control (RBAC)
The GCMS platform implements a multi-level authorization system to ensure users can only access data and perform actions appropriate to their role:
Admin
Full platform access. Manage users, roles, clubs, and all data. Can grant/revoke platform access.
Editor
Read and write access. Can onboard clubs, manage events, and modify platform data.
Viewer
Read-only access. Can view dashboards, clubs, events, and tee time data.
All API endpoints verify both authentication (valid session) and authorization (sufficient role level) before processing requests. Middleware enforces platform role requirements at the routing level.
4. Infrastructure & Transport Security
HTTPS Everywhere
All platform traffic is encrypted in transit using TLS. HTTP Strict Transport Security (HSTS) is enforced with a 2-year max-age, including subdomains and preload.
Security Headers
Every response includes: X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy (camera, microphone, and geolocation disabled).
API Security
All API responses include Cache-Control: no-store to prevent sensitive data caching. Session cookies are HTTP-only with SameSite=Lax and Secure flags in production.
Database Security
Databases are hosted on managed infrastructure with encrypted connections. Application queries use parameterized statements via Prisma ORM, preventing SQL injection.
5. Input Validation & Data Integrity
- •Email addresses are validated against strict format rules and normalized (lowercased, trimmed) across all endpoints.
- •All user input fields have length limits to prevent excessively large payloads and database abuse.
- •Enum-type fields (roles, course types, statuses) are validated against strict whitelists.
- •2FA codes are sanitized to numeric-only characters and validated for exact 6-digit length.
- •API responses never expose internal error messages, stack traces, or database identifiers to clients.
6. Incident Response
In the event of a security incident or data breach:
- 1.We will investigate and contain the incident immediately upon detection.
- 2.Affected users and club administrators will be notified as soon as practicable, and no later than required by law.
- 3.We will report notifiable privacy breaches to the Office of the Privacy Commissioner as required under the Privacy Act 2020.
- 4.We will implement remedial measures to prevent recurrence and document the incident for audit purposes.
7. Responsible Disclosure
If you discover a security vulnerability in the GCMS platform, we encourage responsible disclosure. Please report vulnerabilities to [email protected]. We ask that you do not publicly disclose the vulnerability until we have had an opportunity to investigate and address it. We commit to acknowledging receipt within 48 hours and providing an initial assessment within 5 working days.
8. Continuous Improvement
We regularly review and update our security practices to address emerging threats and vulnerabilities. This includes periodic security audits, dependency updates, and monitoring for known vulnerabilities in platform components. This policy is reviewed quarterly and updated as necessary.