Security
Security at Fanzava.
Your participants give you their data. We treat it accordingly.
This page covers how we protect it, the privacy frameworks we comply with, and what to forward to your IT team.
Who can see what.
Two layers — sign-in, and isolation.
Sign-in. Email and password, magic link, Google. On Enterprise plans, your participants sign in through your own identity provider. Passwords are stored in a form that can't be reversed, even if a database leaked. Two-factor authentication is available to everyone, and required for hub admins on Enterprise plans.
Your hub. Fanzava runs many companies' hubs on the same platform, but your hub's participants, scores, leaderboards, and settings live in their own space — completely separated from every other hub. No one in another hub can see your data. Within your hub, group leaderboards are visible only to members of that group.
Read more in our docs: Authentication methods · SSO · Multi-factor authentication · Tenant isolation
Where your data lives.
Enterprise hubs choose where their data lives: Australia (Sydney), the United States (Iowa), or the European Union (Belgium). Other plans run in Sydney by default. Your hub's data stays entirely within its region — leaderboards, profiles, settings, all of it.
Everything moving between your participants and Fanzava is encrypted. Everything stored is encrypted. For EU-region hubs, the encryption keys live in the EU as well — meaning data can't be decrypted outside the EU, by anyone.
Stripe handles all payments. Fanzava never sees card details.
Read more in our docs: Data residency · Data protection
Compliance you can show your team.
Aligned with the privacy and accessibility frameworks that matter for procurement.
| Framework | Status |
|---|---|
| GDPR | Compliant. |
| UK GDPR | Compliant. UK participants covered. |
| Australian Privacy Act | Compliant, including the Notifiable Data Breaches scheme. |
| WCAG 2.1 | AA conformance target across customer-facing interfaces. |
| PCI DSS | Out of scope — Stripe handles payments. |
Read more in our docs: Compliance posture · DPA & GDPR
Always informed.
What happens in your hub, you see. Admin actions, competition changes, sign-ins, account changes — all recorded in an audit log only you can access. You can export it any time. Enterprise plans can stream events to your existing security monitoring tools.
Security questions or issues go to security@fanzava.com — acknowledged within 24 hours, with progress updates every two days until resolved.
If a breach affects your participants' data, we'll tell you within 72 hours, with the detail you need to notify them yourself.
Read more in our docs: Audit logs · Monitoring, DLP & incident response
Built on infrastructure you trust.
Behind Fanzava are the same providers running banks, governments, and the platforms your team uses every day.
Read more in our docs: Compliance posture
For your IT or security team.
Built for the IT review. Detailed documentation, organised by topic.
Read the full security documentationFor procurement:
- Data Processing Agreement. Included in our Terms of Service for paid plans, with Standard Contractual Clauses by default. Separately executable for Enterprise.
- Sub-processor list. Published at fanzava.com/legal/sub-processors with 30 days' notice of changes.
- Security questionnaire. Available on request to Enterprise prospects under NDA.
- Architectural review documentation. Available to Enterprise customers under NDA.
Security disclosures:security@fanzava.com
Everything else:Contact us
Ready for your security review?
Talk to our enterprise team about SSO configuration, DPAs, data residency, and procurement support.
Talk to our enterprise team