# MarkSet Department Security Packet

Status: working packet for counsel, IT, compliance, and procurement review.

## Product Boundary

MarkSet turns measurable-sport results into private recruiting workflows for verified college programs. The first lane is track, cross country, and running. The product separates performance review from sensitive contact action.

## Data Flow

1. Public lead form submits to `/api/leads`.
2. Coach-owned or approved result files enter an import queue.
3. Imported rows are mapped to athlete, event, mark, source, class year, roster lane, and notes.
4. Contact data remains gated from performance-only ranking views.
5. Verified Fit reports are generated with source confidence, roster gap, progression, standard fit, consent posture, and safe next action.
6. Audit logs record imports, edits, views, exports, consent changes, source reviews, and report generation.

## Access Model

- Coach: program board, standards, roster gaps, evaluations.
- Recruiting coordinator: imports, mapping, notes, board operations.
- Compliance: contact posture, audit exports, source review, restricted action review.
- Department admin: workspace, roles, billing, security packet.
- Family/athlete: profile visibility, export, deletion request, access log.
- Partner: approved feed or file submission only.
- System admin: support and security operations with least privilege.

## Security Controls

- HTTPS-only transport.
- Managed encrypted storage at rest through selected vendors.
- Role-based access control and row-level security before production launch.
- MFA for privileged roles before institutional pilots.
- Source-rights labels on imports.
- Sensitive fields separated from performance-only workflows.
- Audit events for import, view, edit, export, consent, source review, and report generation.

## Retention

Retention windows must be finalized with counsel and school contracts. Working buckets:

- Lead requests: 24 months unless deletion is requested.
- Coach-owned import files: contract-defined retention.
- Performance records: workspace-controlled retention.
- Contact fields: shortest practical retention and deletion/export request support.
- Audit logs: longer retention for accountability and security review.

## Incident Response

1. Triage and severity classification.
2. Containment and credential/session rotation if needed.
3. Investigation and affected data identification.
4. Notification based on contract, law, and school requirements.
5. Remediation and written post-incident record.

## Vendor Risk

Known or planned vendors must be maintained in the subprocessor register before paid institutional pilots. Current intended categories include hosting/CDN, database/auth, email or lead routing, analytics, storage, and document export.

## Legal Review Gate

This packet is not legal advice. Before production sales, MarkSet needs counsel review for COPPA, FERPA adjacency, NCAA/contact workflows, state privacy laws, DPA terms, accessibility, platform terms, and source-rights rules.