Dear members,
Atzsport.com is concerned about how its members' personal data has to be processed. Our privacy policy is straightforward. Unless you specifically request it, we won't send you anything. Your personal information won't be disclosed to anyone. We only utilize it to set up your account.
To enable you to log into our website and to let us store your preferred settings, we use our security program. In order to keep you informed of future live matches for your favorite teams, you will only need to provide a few personal details when you join.
This Policy is not intended to override the terms of any contract you have with us, nor rights you might have under data protection laws. Our aim is not just to comply with privacy law. It’s to earn your trust.
Security Program
Security is a dedicated team within ATZ Sport. The mission of our security team is to safeguard the data you store with us. We oversee a security program that focuses on the following areas: product security, infrastructure controls (physical and logical), policies, staff awareness, intrusion detection, and assessment activities.
The security team oversees an internal Incident Response (IR) program and instructs Atzsport staff members on how to file reports of shady conduct. Our IR team is constantly evaluating new technologies to increase our capacity to identify attacks on our infrastructure, services, and workers. We have policies and tools in place to address security issues.
We regularly check our applications and infrastructure for flaws and fix any that could jeopardize the security of consumer data. To broaden the scope and depth of these audits, our security team is always evaluating new tools.
Network Security
ATZSport uses a mix of load balancers, firewalls, and VPNs to construct its network perimeters. These are used to separate our production network from the rest of our computing infrastructure and to manage the services that we make available on the Internet. Based on business requirements, we restrict who has access to our production infrastructure and rigorously authenticate that access.
Account Security
Your password is never kept on Atzsport in plaintext. We employ PBKDF2 (Password-Based Key Derivation Function 2) with a different salt for each credential when we need to securely store your account password in order to authenticate you. We choose the number of hashing iterations in a way that balances the ease of usage and the difficulty of password cracking.
Although it is not necessary for you to create a difficult password, our password strength meter will nudge you in that direction. To slow down password-guessing attacks, we set limits on both a per-account and per-IP address basis for failed login attempts.
All accounts are eligible for two-step verification (2SV), sometimes referred to as two-factor or multi-factor authentication. Our 2SV technique is based on an algorithm that uses a time-based one-time password (TOTP). All users have the option of locally generating codes using a mobile device application or opting to receive the codes by text message.
Product Security
Protecting your data requires a high level of security for our web service which is accessible via the Internet. To increase code security hygiene, our security team oversees an application security program. They also routinely test our service for common application security flaws including CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.
All client applications from third parties are authenticated by our web service using OAuth. Without having to provide the application with your login information, OAuth offers a simple solution for you to link a third-party application to your account. We give the client an authentication token that they can use to validate their access going forward after they successfully log in to ATZ Sport. So, your username and password are never stored on your device by a third-party program.
Every client application that interacts with our service makes use of a precise thrift API for all operations. We are able to create authorization checks as a fundamental element in the application design by brokering all connections through this API. The service does not allow direct object access, and each client's authentication token is validated upon access to the service to make sure the client is authenticated and authorized to access a specific note or notebook.
The multi-tenant Atzsport service does not separate your data from the data of other users. On the same servers as your data may be the data of another user. Unless you specifically share it with another user, we consider your data to be private and do not allow access to it.
Media Disposal and Destruction
If any storage medium has ever been used to hold user data, we securely erase it or destroy it. To do this, we adhere to the advice provided by NIST in special publication 800-88. Please see this blog post for an example of how we securely destroy damaged hard drives.
We use local disks, persistent disks, and Google Cloud Storage buckets among other Google Cloud Platform (GCP) storage solutions. To make sure that reusing storage doesn't expose confidential client data, we make use of Google's cryptographic erasure procedures.
Activity Logging
The service logs client interactions with our services on the server side. This covers activity logging for activities made using our API as well as web server access logging. Our client applications' event data is likewise collected by us. In the Access History area of your Account Settings, you can check the most recent access times and IP addresses for any application connected to your account.
Transport Encryption
For both inbound and outbound emails, we support STARTTLS. Your email will be encrypted in transit to and from the Atzsport service if your mail service provider supports TLS.
We use IPSEC with GCM-AES-128 encryption or TLS to protect any client data moving between our data center and the Google Cloud Platform.
Resiliency / Availability
To make sure Atzsport is available when you need it, we use a fault-tolerant design. This can be found in both our on-site data centers and our cloud architecture:
Power, HVAC, and fire suppression are among the fault-tolerant facility services that Google and our colocation vendor offer. All customer content is backed up at least once per day. We do not make backups on portable or removable media.
Physical Security
We use a combination of on-premises data centers and cloud services to run the Atzsport service.
We lock down our infrastructure in a private, monitored cage for our data centers, providing round-the-clock security. Access to these data centers requires a minimum of two authentication elements, and a third factor may include biometrics. A SOC-1 Type 2 audit of each of our data centers certifies that they are capable of keeping our infrastructure physically safe. This infrastructure is only physically accessible by Atzsport operations staff and data center employees, and our operations team is informed if someone enters our cage along with a video of the incident.
The Google Cloud Platform is what we use for our cloud services. Multiple certifications Google has passed demonstrate its capability to physically secure the data of ATZSport. You can read more about the security of the Google Cloud Platform here.
Your Rights
As a user of our site you have the following rights:
If you wish to exercise any of the above rights, please contact us by email: [email protected].
This policy was last modified on October 12, 2022.