HQ BaselineSecurity
HQ Baseline holds sensitive data about young athletes. We treat security as a continuous practice, not a checklist.
Encryption
- TLS 1.2+ for all data in transit
- AES-256 for data at rest
- Key management via cloud KMS with rotation
Access control
- Role-based access (athletic trainer, physician, admin)
- SAML SSO with Google, Microsoft, Okta on enterprise plans
- SCIM provisioning where supported
- Forced MFA for clinician accounts
Monitoring
- Centralized application and infrastructure logging
- Audit log of every data access and mutation
- Anomaly detection on production access patterns
Incident response
We maintain a documented incident response plan. Customers are notified of any incident affecting their data within the contractually agreed timeframe (and within 72 hours by default).
Third-party testing
Annual third-party penetration tests of the application and infrastructure. Customers can request a summary report under NDA.
Reporting a vulnerability
Security researchers — please email security@headquarters.health with technical details. We respond within one business day and recognize meaningful disclosures publicly with consent.