Security Whitepaper

Last updated: October 12, 2025

1. Introduction

This Security Whitepaper describes the security framework, controls, and data protection measures implemented by G.O.A.T Sports AB / GOATNESS (“GOAT Sports”) in the operation of our Software-as-a-Service (SaaS) platform.

Our mission is to ensure the confidentiality, integrity, and availability of all customer data processed within our systems. GOAT Sports operates entirely in Microsoft Azure, leveraging its world-class cloud infrastructure while maintaining strict application-level and organizational security controls.

This document also serves as the official reference for subprocessors engaged by GOAT Sports, as referenced in our Data Processing Agreement (DPA).

 

 

2. Security Principles

We base our security program on five core principles:

  1. Confidentiality – Only authorized personnel and systems may access data.
  2. Integrity – Data is protected from unauthorized modification or loss.
  3. Availability – Services remain operational and resilient under all conditions.
  4. Accountability – All access, changes, and events are traceable and auditable.
  5. Compliance – All operations adhere to GDPR and applicable European data protection laws.

 

 

3. Shared Responsibility Model

GOAT Sports operates under a shared responsibility model with Microsoft Azure.

Area

Microsoft Azure

GOAT Sports

Physical data center security

✅ Full responsibility

Network and infrastructure

✅ Baseline protection

✅ Configuration and hardening

Platform services (Azure SQL, Storage, App Services)

✅ Maintenance & patching

✅ Secure configuration

Application layer

✅ Secure design, development, and operation

Customer data

✅ Management, protection, and access control

Identity & access

Shared

✅ Enforced via Azure AD policies

Compliance

✅ Certified infrastructure

✅ SaaS-level governance and GDPR compliance

 

 

4. Platform Architecture & Environment

GOAT Sports runs exclusively on Microsoft Azure, using PaaS services across the EU region.

Core components

  • Azure App Service – hosting APIs and web applications
  • Azure SQL Database – relational data storage (encrypted at rest)
  • Azure Blob Storage – encrypted file and media storage
  • Azure Key Vault – key and secret management
  • Azure Monitor – continuous monitoring and detection
  • Azure DevOps – CI/CD with integrated security checks

 

 

5. Identity & Access Management

  • Authentication is handled through Azure Active Directory (Azure AD).
  • Multi-Factor Authentication (MFA) is mandatory for all administrative accounts.
  • Role-Based Access Control (RBAC) enforces least privilege across environments.
  • Access reviews are performed quarterly.
  • Managed identities are used for service-to-service authentication (no embedded credentials).
  • Secrets and certificates are stored only in Azure Key Vault.

 

 

6. Data Protection

Encryption at Rest

  • Customer-Managed Keys (CMK) used for encrypting sensitive SQL data.

Encryption in Transit

  • TLS 1.2+ is enforced for all data transmission.
  • HTTPS enforced on all public endpoints.
  • Internal APIs communicate via secure private networks or mutual TLS.

Data Retention & Deletion

  • Data is retained only as long as necessary for service delivery or as instructed by the customer.
  • Upon termination, all personal data is securely deleted within 30 days, except backups, unless required by law.

 

 

7. Application Security

GOAT Sports integrates security into the full development lifecycle.

  • Dependency vulnerability scanning and automated patching.
  • Input validation and output encoding prevent XSS, SQL injection, and related attacks.
  • No hardcoded credentials – all secrets are stored in Azure Key Vault.

 

 

8. Logging, Monitoring & Incident Response

  • Centralized logging via Azure Monitor, Log Analytics, and Application Insights.
  • Microsoft Defender for Cloud provides automated detection of anomalies and vulnerabilities.
  • 24/7 alerting configured for critical security and availability events.
  • Incident Response Plan defines escalation paths, responsibilities, and notification procedures.
  • Personal data breaches are reported to affected customers without undue delay, in accordance with GDPR Article 33.

 

 

9. Business Continuity & Disaster Recovery

  • Geo-redundant storage and availability zones for all critical systems.
  • Daily encrypted backups retained for up to 1 year.
  • Recovery Point Objective (RPO): ≤ 15 minutes
  • Recovery Time Objective (RTO): ≤ 4 hours
  • Regular disaster recovery drills validate recovery procedures.

 

 

10. Compliance & Privacy

Infrastructure Certifications

Microsoft Azure complies with the most recognized international standards, including:

  • ISO/IEC 27001, 27017, 27018
  • SOC 1, SOC 2, SOC 3
  • GDPR, CSA STAR, HIPAA, FedRAMP (for applicable services)

GDPR Alignment

  • GOAT Sports acts as Data Processor, and customers are the Data Controllers.
  • Processing instructions, data types, and retention are defined in the DPA (Annex 1A).
  • Subprocessors are managed transparently and subject to the same data protection obligations.
  • International transfers rely on Standard Contractual Clauses (SCCs) or Data Privacy Framework where applicable.

 

 

11. Subprocessors

GOAT Sports engages the following subprocessors for specific operational functions (as referenced in the DPA): https://goatness.software/list-of-subprocessors/

 

 

12. Risk Management & Continuous Improvement

  • Risk assessments conducted annually and after major architecture changes.
  • Continuous improvement via lessons learned from incidents.
  • Monthly security reviews with leadership oversight.

 

 

13. Customer Responsibilities

While GOAT Sports provides a secure platform, customers share responsibility for:

  • Managing their users, roles, and access permissions.
  • Securing endpoint devices and browsers used to access the platform.
  • Reviewing logs and reports available via the customer portal.
  • Avoiding sharing of credentials or access tokens.

 

 

14. Governance, Law & Policy Updates

GOAT Sports continually monitors legal and regulatory changes to ensure ongoing GDPR compliance. Any material updates to subprocessors or processing activities are communicated to customers in advance in accordance with the DPA.