Skip to main content
PlayKorte

Security Policy

Last updated: February 18, 2026

PlayKorte takes the security of our Platform and your data seriously. This page describes our security practices and how to report vulnerabilities.

1. Our Security Practices

We implement the following measures to protect the Platform and your data:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
  • Authentication: User sessions are managed through Supabase Auth with cookie-based sessions and role-based access control.
  • Database security: Row Level Security (RLS) policies enforce data isolation between users. All database queries use parameterized statements to prevent injection attacks.
  • Payment security: PlayKorte does not store credit card numbers, bank account numbers, or other sensitive payment credentials. All payment processing is handled by PayMongo, a PCI-DSS compliant payment processor.
  • Access control: Administrative access to production systems is restricted to authorized personnel with multi-factor authentication.
  • Dependency management: We monitor third-party dependencies for known vulnerabilities and apply updates regularly.

2. Reporting a Vulnerability

If you discover a security vulnerability in the Platform, please report it to us responsibly:

Email: security@playkorte.com

When reporting, please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Any supporting evidence (screenshots, logs, etc.).

What to expect

  • Acknowledgment: We will acknowledge your report within 72 hours.
  • Triage: We assess all reports by severity (critical, high, medium, low) and prioritize accordingly.
  • Updates: We will keep you informed of our progress as we work to resolve the issue.

We ask that you:

  • Give us reasonable time to investigate and address the issue before disclosing it publicly.
  • Not access, modify, or delete other users' data during your research.
  • Not disrupt the availability of the Platform.

3. How We Handle Vulnerabilities

We prioritize security issues based on severity and potential impact:

  • Critical and high severity issues (e.g., authentication bypass, data exposure, payment manipulation) are treated as top priority and addressed ahead of feature work.
  • Medium and low severity issues (e.g., missing security headers, information disclosure) are addressed in our regular development cycle.

We are a small team and do not publish fixed resolution timelines, but we take every report seriously and act in good faith to resolve issues promptly.

4. Personal Data Breach Response

PlayKorte maintains a documented personal data breach response procedure aligned with Republic Act No. 10173 and NPC Circular 16-03.

  • We start incident triage immediately once a potential breach is detected.
  • We document containment actions, impact assessment, and evidence preservation.
  • For notifiable personal data breaches, we notify the National Privacy Commission (NPC) and affected data subjects within seventy-two (72) hours from knowledge of the breach.
  • We issue follow-up updates to the NPC and affected data subjects when material new information is identified.

Internal procedure: Personal Data Breach Response Procedure

5. Scope

This policy applies to:

  • playkorte.com and all subdomains.
  • The PlayKorte web application and dashboard.
  • The PlayKorte API.

Out of scope:

  • Third-party services we integrate with (PayMongo, Resend, Supabase hosted infrastructure). Please report vulnerabilities in those services directly to their respective security teams.
  • Social engineering attacks against PlayKorte staff or users.
  • Denial of service attacks.

6. Contact

For security concerns: security@playkorte.com

For general support: support@playkorte.com