Trust & Data Integrity

Every submitted evaluation is sealed with a SHA-256 cryptographic hash at the moment of submission. This hash captures the complete evaluation content: pillar scores, sub-attribute scores, evaluator identity, event context, and timestamp.

Each evaluation chains to the previous one in the player's history, creating a linked record across all organizations. Tampering with any evaluation breaks the chain and is detectable instantly.

• Coaches cannot alter scores after submission
• Administrators cannot silently delete evaluation records
• No one can backdate an evaluation into an existing chain
• The chain is verifiable on demand by any authorized viewer

Your evaluation data belongs to your organization. Pathways enforces strict boundaries between organizations at every level of the platform.

• Coach notes and AI-generated development insights never cross organization boundaries
• Cross-organization visibility, when enabled, shows standardized pillar scores only
• All server actions are scoped to the authenticated user's organization
• Organizations act as data controllers; Pathways is the data processor

Your coaching observations, development narratives, and strategic assessments stay within your organization. What crosses boundaries is the standardized evaluation data that makes the Pathways ecosystem valuable for player development.

Every player registered on Pathways receives a unique Pathways ID (format: PTH-XXXX-XXXX) that follows them from club to academy to university to national program. This portable identity is the foundation of the Pathways ecosystem.

• Cross-organization data sharing requires explicit parental consent for minors
• Players aged 18 and over control their own portability settings
• Source organizations approve data access for active players
• The integrity chain verifies data authenticity across every organization in the network

Pathways is built with security at every layer of the stack.

• Database — PostgreSQL on Supabase (AWS US East), AES-256 encryption at rest
• Transport — TLS encryption for all data in transit
• Authentication — Session-based auth with secure, httpOnly cookies
• Authorization — Organization-scoped access controls on all server actions
• Roles — Role-based access control (admin, coach, evaluator, viewer, selector)
• Rate Limiting — Throttling on authentication and API endpoints
• Audit — Automated security audit with 187 assertions run on every commit
• Integrity — SHA-256 cryptographic hash chain on all submitted evaluations

The majority of Pathways users are youth athletes. We take the protection of children's data seriously.

• COPPA-compliant parental consent flow is built into the platform for minors under 18
• Organizations are responsible for obtaining consent before entering any player data for minors
• Cross-organization visibility for minors requires explicit parental opt-in at enrollment
• Age-appropriate data visibility controls limit the granularity of cross-org data for minors
• Parents can contact us at any time to access or manage their child's data

Pathways operates under the standard B2B SaaS data processing model:

• Data Controller — Your organization. You determine what data is collected and are responsible for obtaining appropriate consent.
• Data Processor — Pathways. We process data on your behalf to provide the platform, and only for the purposes described in our privacy policy.

We do not sell data. We do not use data for advertising. We do not share evaluation data between organizations without explicit consent.

For questions about data integrity, security, or privacy, contact us at: privacy@pathways.id

See also: Privacy Policy and Terms of Service