Public Security Posture

Effective Date: June 9, 2026

At FantasyPilot LLC, maintaining the confidentiality, integrity, and availability of your session data, fantasy league records, and financial ledger mappings is the foundation of our engineering standards. This Public Security Posture ("PSP") outlines the technical controls, architectural safety measures, and vulnerability disclosure policies we implement to secure our platform.

🔒 Security-First Engineering:
FantasyPilot is designed from the ground up to prevent data leaks. Our analytical backend incorporates private AWS subnets, IAM-authenticated database tunneling, and Data Leakage Prevention (DLP) for AI endpoints.

1. Network & Cloud Infrastructure Architecture

Our system is engineered using a container-first, isolated cloud architecture hosted on Amazon Web Services (AWS) and deployed via SST:

Virtual Private Cloud (VPC) Isolation: Our entire backend environment, serverless microservices, and databases are enclosed within an isolated, multi-availability zone AWS VPC (`sst.aws.Vpc`).
Private Subnet Databases: Our core PostgreSQL database (AWS Aurora Serverless v2 cluster) is situated within strictly private VPC subnets. It has zero exposure to the public internet. No public IP address is assigned to our database endpoints.
Bastion Host & Secure SSM Tunneling: Administrative, database connections required for system maintenance are restricted to IAM-authenticated AWS Systems Manager (SSM) secure session tunnels (`tunnel-rds.sh`). Direct SSH ports are completely disabled.
NAT Gateway Routing: Outbound connections required to synchronize data with third-party APIs (such as Sleeper) are securely routed through private NAT gateways, shielding our internal servers from direct inbound probing.

2. Cryptographic Controls & Data Storage

We implement rigorous cryptographic standards to protect data both at rest and in transit:

Encryption in Transit: All public traffic connecting to our landing page, APIs, and Chrome Extension endpoints is strictly encrypted using Transport Layer Security (TLS 1.3 / HTTPS). Unencrypted HTTP traffic is automatically blocked and redirected.
Encryption at Rest: Our database volumes, backups, and Amazon S3 storage buckets are encrypted using industry-standard AES-256 encryption algorithms, managed via AWS Key Management Service (KMS).
Clerk Identity Provider: We do not store or process user passwords on our infrastructure. All user authentication, credential storage, multi-factor authentication (MFA), and session token generation are delegated to Clerk, a leading secure identity provider.

3. Chrome Extension Sandboxing & Local Security

The official FantasyPilot Chrome Extension is designed with the principle of least privilege:

Minimal Permissions: The extension restricts its execution permissions strictly to the active tabs of `Sleeper.com` and `LeagueSafe.com`. It does not monitor your general web history, search terms, or other active domains.
Storage Sandboxing: Session tokens extracted for league synchronization (such as the Sleeper OAuth token) are stored strictly inside Chrome's sandboxed local extension storage (`chrome.storage.local`). Your browser ensures this data is completely isolated and inaccessible to other web domains or active extensions.
PII Cleansing: The extension extracts and transmits only the structural data of your leagues. It does not access, copy, or read browser autofill profiles, credit card inputs, or saved passwords.

4. AI Security & Data Leakage Prevention (DLP)

Integrating large language models (LLMs) requires strict measures to prevent data leakage and exposure:

PII Stripping & DLP: Before sending structural league schemas, trades, or strategies to the Google Gemini AI API, our ingestion pipeline strips all primary contact PII (such as user emails and billing addresses) from the prompts.
Developer API Privacy Guarantees: Our backend connects strictly to Google Gemini enterprise developer API endpoints. Under these terms, Google is contractually bound to not use data sent via our API to train, fine-tune, or prompt its public foundational models.
Output Sanitization: All AI-generated outputs returned by the LLM are parsed and sanitized on our backend before being rendered in your browser, shielding our users from potential down-stream script injections or structural script exploits.

5. Vulnerability Disclosure Policy (VDP) & Safe Harbor

We welcome ethical security researchers to evaluate our public-facing platforms and extension endpoints. If you discover a potential vulnerability, please report it immediately to our security engineering team.

Reporting Guidelines: Submit detailed, reproducible vulnerability reports to: support@fantasypilot.ai. Do not attempt to access, modify, or pollute the private league data or accounts of other FantasyPilot users. Do not conduct denial-of-service (DoS) attacks, model-poisoning tests, or automated spam-generation scripts. Provide us a reasonable window of ninety (90) days to remediate the vulnerability before disclosing it publicly.
Safe Harbor Commitment: If you conduct your security research in accordance with these guidelines, we commit to not pursuing civil litigation or law enforcement referral for your security research. We will collaborate with you to understand and remediate the issue rapidly, and provide public attribution and credit on our security hall-of-fame (upon request) once the issue is resolved.