Panta

Trust

Security

Last updated: April 24, 2026

Gyms and studios trust Panta with some of their most sensitive information: member profiles, health notes, schedules, and payment details. Protecting that data is foundational to the Service, not an afterthought. This page describes the administrative, technical, and physical safeguards we use to keep customer data secure.

Our approach

Panta follows a defense-in-depth security model built around four principles: encrypt everything, grant the least privilege necessary, monitor continuously, and plan for failure. Security is owned by the entire engineering team and reviewed regularly as part of our development lifecycle.

We align our controls with industry-recognized frameworks such as ISO 27001, SOC 2, and the OWASP Application Security Verification Standard, and we continuously evolve them as the threat landscape changes.

Infrastructure

Panta is hosted on top-tier cloud providers whose data centers are certified to ISO 27001, SOC 1/2/3, PCI DSS, and similar standards. Physical access to the underlying infrastructure is managed by these providers and is strictly controlled, audited, and monitored 24/7.

  • Network isolation. Services run inside private virtual networks with strict firewall rules. Only a small set of hardened ingress points is exposed to the public internet.
  • High availability. Critical components are deployed across multiple availability zones so that the loss of any single zone does not interrupt the Service.
  • Hardened images. Servers are provisioned from minimal, regularly-patched base images and configured with security-hardening baselines.

Encryption

All customer data is encrypted both in transit and at rest.

  • In transit. Traffic to and from Panta is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled across all domains, and older protocols and weak cipher suites are disabled.
  • At rest. Databases, object storage, and backups are encrypted at rest using AES-256. Encryption keys are managed through our cloud provider's key management service with strict access controls and audit logging.
  • Passwords and secrets. User passwords are stored as salted one-way hashes using a modern password-hashing algorithm. Application secrets are stored in a dedicated secret manager and are never committed to source control.

Access controls

Access to production systems and customer data is restricted to a small number of authorized Panta personnel who need it to operate the Service.

  • Single sign-on and MFA. Employee access to internal tools is gated behind single sign-on with multi-factor authentication enforced.
  • Role-based access. Permissions are granted on a least-privilege basis and are reviewed regularly. Sensitive actions require additional approval.
  • Joiner, mover, leaver. Access is provisioned when employees are onboarded and revoked promptly when they change roles or leave the company.
  • Audit logging. Administrative and data-access actions are logged and retained for review.

Application security

Security is built into our development process from the start.

  • Secure development. All changes are peer-reviewed, run through automated tests, and scanned for known vulnerabilities before being deployed.
  • Dependency management. We continuously monitor third-party dependencies for known vulnerabilities and patch them promptly.
  • Static and dynamic analysis. We use automated tooling to catch common classes of vulnerabilities such as injection, XSS, and insecure deserialization.
  • Penetration testing. We engage independent third-party security firms to perform penetration tests and remediate findings.

Payment security

Payment card data is handled by PCI DSS-compliant payment processors. Card numbers never touch Panta's servers; we work exclusively with tokenized references provided by our payment partners. This significantly reduces the scope of cardholder data we store and the risk to your members.

Monitoring and incident response

We monitor the Service around the clock using a combination of automated alerting, anomaly detection, and on-call engineers.

  • Continuous monitoring. Infrastructure, application, and security events are collected centrally and correlated to detect unusual activity.
  • Incident response plan. We maintain a documented incident response plan, regularly tested through tabletop exercises, covering detection, containment, eradication, recovery, and post-incident review.
  • Customer notification. In the event of a data breach affecting your data, we will notify affected customers without undue delay and in accordance with applicable law, including guidance on the nature of the incident and remediation steps.

Backups and availability

We take regular encrypted backups of customer data and test restoration procedures routinely to ensure data can be recovered quickly in the event of an incident. Backups are stored separately from production data with independent access controls. We target high service availability and publish our operational status and incident history for customers to review.

Employee security

Every Panta employee signs a confidentiality agreement as part of onboarding, completes security and privacy training at least annually, and is subject to background checks where permitted by law. Company-issued devices are centrally managed with full-disk encryption, screen locks, endpoint protection, and automatic updates.

Vendor and sub-processor management

We carefully vet the vendors and sub-processors that support the Service, evaluating their security posture, compliance certifications, and data-protection practices before engaging them. Contracts with sub-processors include commitments to handle personal data in line with our own standards and applicable law. A current list of sub-processors is available on request.

Your responsibilities

Security is a shared responsibility. To help protect your account and your members' data, we recommend that you:

  • Use a strong, unique password and enable multi-factor authentication;
  • Grant access only to team members who need it, and review access regularly;
  • Keep your devices and browsers up to date;
  • Be cautious of phishing attempts and verify any unusual requests for credentials or data;
  • Notify us immediately if you suspect your account has been compromised.

Reporting a vulnerability

We welcome reports from security researchers and customers. If you believe you have discovered a security vulnerability in Panta, please email security@panta.app with a detailed description, steps to reproduce, and any proof-of-concept materials.

Please give us a reasonable amount of time to investigate and remediate before disclosing publicly. We commit to acknowledging your report promptly, keeping you informed of our progress, and crediting researchers who report valid issues responsibly (unless you prefer to remain anonymous).

Please do not access or modify data that does not belong to you, degrade the Service, or disrupt other customers while researching.

Contact us

For general security questions, compliance documentation, or sub-processor information, reach out to security@panta.app.