Security & Compliance

SC Marlow Collective LLC ("we", "us") operates Max Portal from Dallas, Texas, USA. This page summarises the technical, organisational, and legal safeguards we apply to protect users, their data, and the platform itself across the United States, the United Kingdom, and the European Union.

1. Platform security controls

• Authentication: email/password with bcrypt hashing, Google OAuth, and session tokens with automatic refresh. Leaked-password screening (HIBP) on signup and password change.
• Authorization: Postgres Row Level Security (RLS) on every user-data table. Role checks are isolated in a dedicated user_roles table to prevent privilege escalation.
• Transport: TLS 1.2+ everywhere. HSTS on the apex domain. Certificates managed by Cloudflare.
• Storage: AES-256 at rest for database and file storage (Supabase / Cloudflare R2).
• Payments: processed by Stripe. We never see, store, or transmit raw card data — PCI-DSS scope is reduced to SAQ-A.
• Secrets: stored in encrypted environment variables. Service-role keys are server-only and never reach the browser bundle.
• Webhooks: all inbound webhooks (Stripe, email) verify HMAC signatures before any database write.
• Rate limiting & DDoS: Cloudflare edge with bot management, WAF rules, and per-IP throttling.

2. OWASP Top 10 (2021) coverage

• A01 Broken Access Control: RLS + security-definer functions; checkout/userId is derived from the verified JWT, never from the request body.
• A02 Cryptographic Failures: TLS in transit, AES-256 at rest, bcrypt for passwords, signed JWTs with rotating keys.
• A03 Injection: parameterised queries via the Supabase SDK; user input validated with Zod schemas on the server.
• A04 Insecure Design: least-privilege roles (admin / host / subscriber), separate sandbox and live Stripe environments, no implicit trust between services.
• A05 Security Misconfiguration: CSP, X-Frame-Options, Referrer-Policy and Permissions-Policy headers; security-definer DB functions pin search_path.
• A06 Vulnerable Components: dependencies scanned weekly; Supabase, Stripe, and Cloudflare run managed, patched infrastructure.
• A07 Identification & Authentication Failures: HIBP password check, lockout on repeated failures, secure session cookies, optional MFA on admin accounts.
• A08 Software & Data Integrity: signed deploys, immutable build artefacts, webhook signature verification.
• A09 Logging & Monitoring: append-only audit_logs table with actor, action, target, IP, user-agent, and metadata. Retained for 2 years.
• A10 Server-Side Request Forgery: outbound calls restricted to a vetted allow-list (Stripe, Agora, Resend, Supabase, Google).

3. Personal-data risk & legal basis

We process personal data under the following legal bases (UK-GDPR / EU-GDPR Article 6):

• Contract — to deliver the Service you signed up for (account, broadcasts, payments).
• Legal obligation — tax records, DMCA notices, court orders.
• Legitimate interest — fraud prevention, abuse detection, security logging — balanced against your rights and freedoms.
• Consent — optional product updates and broadcaster onboarding emails.

Under CCPA / CPRA (California) and Texas Data Privacy & Security Act (TDPSA), you have the right to access, correct, delete, and port your personal information, and to opt out of targeted advertising and "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioural advertising.

4. Audit logging

Privileged actions — admin moderation, payment events, role changes, room termination, and account deletion — are written to an append-only audit_logs table with actor, IP, user-agent, target, and metadata. Logs are retained for 2 years and are available to admins only. Users may request a copy of audit entries relating to their own account at privacy@scmarlowcollective.com.

5. Incident response

1. Detect — automated alerts on auth anomalies, error spikes, payment-webhook failures, and unusual data exports.
2. Contain — affected credentials/keys are rotated within 1 hour; impacted accounts are temporarily locked.
3. Assess — scope, data categories, and affected jurisdictions are determined within 24 hours.
4. Notify — where the GDPR/UK-GDPR threshold is met, we notify the ICO/EU supervisory authority within 72 hours and affected users without undue delay. US state-law notifications follow the timelines required by the relevant state (e.g. Texas BNL 60 days).
5. Remediate & review — root-cause analysis and corrective controls within 30 days.

Report a vulnerability or suspected incident: security@scmarlowcollective.com. We follow coordinated disclosure and will acknowledge reports within 2 business days.

6. Risk checks for hosts & broadcasters

• Broadcaster Terms acceptance is recorded with version, IP, and user-agent on every Go Live.
• Paid hosts complete Stripe Connect KYC (identity, business details, payout account) before charges are enabled.
• Real-time viewer caps and room locking limit exposure to leaked join codes.
• One-tap reporting on every room; admin moderation queue with documented review notes.
• Recordings are stored privately by default; hosts control deletion and sharing.

7. Children & sensitive data

The Service is not directed at children under 13 (COPPA) and we do not knowingly collect their data. We do not collect biometric identifiers, health records, or government-issued IDs (Stripe handles KYC documents directly under their own controls).

8. Disclaimer & limitation of liability

The Service is provided "as is" and "as available" without warranties of any kind, express or implied, including merchantability, fitness for a particular purpose, and non-infringement. SC Marlow Collective LLC does not guarantee uninterrupted or error-free operation, nor that the Service will meet every user's specific requirements.

To the maximum extent permitted by law, SC Marlow Collective LLC, its members, officers, employees, and affiliates shall not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or any loss of profits, revenue, data, goodwill, or business opportunities, arising out of or relating to the Service. Our aggregate liability is capped per Section 8 of the Terms of Service.

Hosts and broadcasters are solely responsible for the content they transmit, the accuracy of any statements made, the rights they hold in such content, and compliance with applicable laws (including consumer protection, advertising, tax, and intellectual-property laws). SC Marlow Collective LLC acts as a neutral conduit and does not endorse user-generated content.

9. Compliance frameworks & sub-processors

We align our controls with OWASP ASVS Level 2, CIS Controls v8, and NIST CSF 2.0. Sub-processor security postures (Supabase, Stripe, Cloudflare, Agora, Resend, Google) are reviewed annually; all operate under SOC 2 Type II or equivalent. Cross-border transfers rely on Standard Contractual Clauses (UK Addendum where applicable) and the EU-US Data Privacy Framework.

10. Contact

SC Marlow Collective LLC
Dallas, Texas, USA

• Security / vulnerability reports: security@scmarlowcollective.com
• Privacy / data-subject requests: privacy@scmarlowcollective.com
• Trust & safety: trust@scmarlowcollective.com
• DMCA / copyright: dmca@scmarlowcollective.com