Hashmark

Security

The shape of the stack, and what we do with your data.

Hashmark runs on self-hosted infrastructure we own. We do not sell, share, or rent your league data, your archive, or the contents of your generated recaps. The bar is the bar a serious newsroom holds itself to with sources — your data is not a product input for anyone outside this company.

Infrastructure

  • Database: Self-hosted Postgres 16 with pgvector, running on a dedicated Hetzner server (studio-db-us-east). Schema-isolated. Daily backups to encrypted off-host object storage.
  • Application: Next.js on Vercel for the product surface, with ingestion handled by a Cloudflare Worker forwarding to a Supabase Edge Function running on the same Hetzner host as the database.
  • Observability: Self-hosted Sentry and PostHog, on the same Hetzner box. No third-party analytics, no Google Analytics, no Meta Pixel, no Mixpanel.
  • Edge: Cloudflare in front of the marketing surface and the ingestion endpoint. WAF rules and rate limiting at the edge.

Authentication

Hashmark uses Discord OAuth as the primary identity provider, with app-managed sessions on our own infrastructure. We do not use a third-party identity broker. Session cookies are HTTP-only, Secure, SameSite=Lax, and signed with a key held in our secrets vault.

The Discord token we receive at sign-in is exchanged once for the user's account ID and avatar URL, and discarded. We do not store refresh tokens. We do not post to Discord on a user's behalf without an explicit, scoped grant from the league administrator.

Your franchise data

Companion App exports are received over TLS and written to the hashmark schema in our database. The data is yours. You can export it in full at any time from your account page. If you delete your account, we delete your franchise data inside 30 days, with the single exception of records subpoena-bound under US law (we have not received one).

The Playoff Vault has a database-level never-delete trigger that prevents accidental row deletion. The trigger raises a soul-aligned exception when fired. Cascade deletions from the league level are explicit and confirmed in product.

Generated content

Editorial recaps and synthesized college careers are generated using Anthropic Claude (Haiku 4.5, Sonnet 4.6, and Opus 4.7 depending on the surface). Anthropic processes the prompt and the response. Per Anthropic's API terms, your data is not used to train their models.

Voice recaps are produced via ElevenLabs Turbo v2 from text we generate. Audio is stored in our own object storage; ElevenLabs receives the text and returns audio.

Payments

Stripe handles all card data. Hashmark never sees a card number, CVV, or expiration. We store the Stripe customer ID, subscription state, and billing email. Nothing else from the payment flow lands in our database.

Disclosure

If you find a vulnerability in Hashmark, write to [email protected]. We acknowledge inside 48 hours. Responsible disclosure follows. We do not run a paid bounty program at this stage; we maintain an acknowledgment page in the product once we ship one.

Compliance

Hashmark is operated by VaultSpark Studios LLC, a US-registered company. We comply with the CCPA, the GDPR for EU users, and applicable US privacy laws. A formal DPA is available for Studio-tier customers on request.