AscendAscendBeta
  • Ascend AI
  • AI for Discord
Play
  • Matchmaking
  • Scrims
  • Tournaments
  • LFT/LFP
Discover
  • Scouting
  • Tracker
  • Crosshairs
  • Creatives
Store
  • Rewards
  • Shop
  • Marketplace
Ascend

Loading...

Legal · Security

Security & Data Protection

The technical and organizational measures Play Ascend, Inc. uses to keep personal data safe — encryption, access control, data minimization, retention, sub-processor governance, and incident response. This page is the security annex referenced by our Data Processing Addendum and Privacy Policy. Report a vulnerability to security@play-ascend.com.

Effective
June 19, 2026
Updated
June 19, 2026

01Our commitment

Play Ascend, Inc. ("Ascend", "we", "us") builds and operates the Ascend rewards platform and the Ascend rewards connector for Shopify (the "Connector"). This page describes the technical and organisational measures we use to keep data safe — both the data of our own users and the merchant store data we process on a merchant's behalf through the Connector.

Play Ascend, Inc. is a Delaware corporation located at 131 Continental Dr, Suite 305, Newark, Delaware 19713, USA. Our website is play-ascend.com.

Security is a continuous practice, not a checkbox. We design for least privilege, encrypt sensitive data, log what matters, and keep the amount of data we touch as small as the job allows. The measures below are the same controls that back the commitments in our Data Processing Addendum and Privacy Policy.

02Encryption

Layer What we do
In transit TLS everywhere — HTTPS on every web and API endpoint. Data moving between your browser, our services, and our sub-processors is encrypted in transit.
At rest AES-256 encryption at rest, managed by Supabase and AWS, for the database and the infrastructure that stores it.
Backups Database backups are encrypted (Supabase-managed, encrypted at rest).
Application-layer secrets The most sensitive secrets — OAuth access tokens and gift-card codes — get an additional layer of AES-256-GCM encryption at the application level, so they are encrypted before they ever touch the database. The encryption keys live in AWS Secrets Manager and are never stored in the database alongside the data they protect.

That last point matters: even with database access, the most sensitive values are unreadable without the keys, which sit in a separate, access-controlled secret store.

03Access control and authentication

We work from a least-privilege baseline:

  • Row-Level Security (RLS) is enabled on our data tables in Postgres, with explicit access policies, so a query can only return the rows the requester is entitled to.
  • Service-role credentials are least-privilege and scoped to the job they perform; user-facing tokens are scoped per session.
  • Staff sign in via OAuth (Google / Discord) — there are no shared passwords for access to our systems.
  • Service-to-service calls are authenticated with an internal shared key, so internal services only accept requests from other trusted internal services.
  • All external webhooks are HMAC-verified — including the Shopify compliance webhooks — so we only act on payloads we can cryptographically confirm came from the expected sender.
  • Access and admin actions are logged (see Audit logging) so privileged activity is attributable and reviewable.

04Network and application security

  • HTTPS / TLS on all traffic, as above.
  • Gateway isolation — backend domain services sit behind a gateway and authenticate inbound requests with the internal shared key and HMAC verification; they are not directly addressable by untrusted clients.
  • Input validation — request bodies, query parameters, and route parameters are validated against strict schemas before any handler runs, so malformed or unexpected input is rejected at the edge.
  • Secure development lifecycle — we write in TypeScript with strict type-checking, every change goes through code review, we maintain automated tests, and our CI runs type-checks and tests before code ships.

Audit logging

Access events and administrative actions are recorded in our audit and event tables, with alerting on noteworthy events. This gives us an attributable trail for investigation and review.

05Data minimisation and retention

The Connector is deliberately narrow. It processes only the fields needed to fulfil and track a reward order:

  • recipient name,
  • shipping address,
  • phone, and
  • order / fulfilment status.

It does not send the member's email address into the merchant's store, and it does not use store data for marketing, profiling, or analytics.

On retention and deletion:

  • We keep data only as long as we need it to provide the service or to meet a legal obligation.
  • The Connector honours Shopify's mandatory compliance webhooks — customers/data_request, customers/redact, and shop/redact — to support customer data-access and deletion requests and to redact a store's data after the app is uninstalled.
  • Account and data deletion is supported; residual copies in routine encrypted backups are purged on the normal backup cycle (within 30 days).

06Sub-processors

We use a small, vetted set of sub-processors. Each is engaged under a data-processing agreement with obligations no less protective than our own, and we give notice of changes.

Sub-processor Purpose Location
Supabase Database (Postgres) + authentication AWS ap-south-1 (Mumbai)
Amazon Web Services (AWS) Hosting / compute / infrastructure (Amplify web hosting; ECS Fargate services; Secrets Manager) AWS ap-south-1
Stripe Payments + subscription billing United States
Resend Transactional email United States
Discord / Google OAuth sign-in United States
Shopify The Connector — merchant store data Per the merchant's Shopify region

Governance: we vet sub-processors before engaging them, keep data-processing agreements in place with each, and bind them to confidentiality and security obligations. When we add or replace one, we give reasonable prior notice as described in the DPA.

07Incident response

We maintain a defined incident-response process covering detection, triage, containment, eradication, recovery, and notification.

  • Detection — audit logging and alerting surface noteworthy access and admin events for review.
  • Notification — if we confirm a personal data breach, we notify affected controllers and, where required, supervisory authorities without undue delay. Where the GDPR or UK GDPR applies, we aim to do so within 72 hours of becoming aware of the breach, and we provide the information a controller reasonably needs to meet its own obligations.
  • Post-incident review — after an incident we conduct a review to understand the root cause and to harden the system against a repeat.

08Business continuity and backups

Our database backups are encrypted and managed by Supabase, and our infrastructure runs on AWS, which provides the underlying availability and durability for our hosting and storage. Backups let us recover data and restore service in the event of data loss or a disruptive incident.

09Vulnerability management

  • We keep dependencies up to date and apply security patches promptly.
  • Our secure development lifecycle (TypeScript strict, code review, automated tests, CI type-checks) reduces the chance of introducing vulnerabilities in the first place.
  • Responsible disclosure — if you believe you've found a security issue in Ascend or the Connector, please report it to security@play-ascend.com. We welcome good-faith reports and will work with you to confirm and resolve the issue. Please give us a reasonable opportunity to fix it before any public disclosure.

10Certifications

We want to be straightforward here: Ascend does not currently hold a SOC 2 or ISO 27001 certification. The measures described on this page are real and in place, but we don't claim certifications we haven't obtained. If our certification status changes, we'll update this page.

11Contact

For security questions, to report a vulnerability, or for anything else covered by this page, email security@play-ascend.com. For data-protection and privacy matters, email privacy@play-ascend.com, or write to Play Ascend, Inc., 131 Continental Dr, Suite 305, Newark, Delaware 19713, USA.

On this page
  • Our commitment
  • Encryption
  • Access control and authentication
  • Network and application security
  • Data minimisation and retention
  • Sub-processors
  • Incident response
  • Business continuity and backups
  • Vulnerability management
  • Certifications
  • Contact
Ascend

Ascend is an esports gaming platform — tracker, shop, matchmaking, rewards, and Ascend AI for Discord communities.

Product
  • Tracker
  • Shop
  • Shop Affiliates
  • Players
  • Esports
  • Crosshairs
  • Marketplace
Community
  • Matchmaking
  • LFT/LFP
  • Scrims
  • Rewards
  • How rewards work
  • Rewards Partners
  • Become a Partner
  • Discord
Ascend AI
  • Overview
  • Docs
  • Pricing
  • Install
Company
  • Blog
  • Contact
  • Privacy
  • Terms
  • DPA
  • Security
© 2026 Ascend. All rights reserved.
TermsPrivacyContact