Security

Authentication is handled through WorkOS. Protected application routes require a valid session cookie, and backend functions enforce organization membership plus role authorization for privileged actions.

Report artifacts are stored in Convex with retention controls. One-time ephemeral report downloads use hashed tokens with expiry and single-use redemption semantics.

Platform telemetry is available through Sentry and PostHog when configured. Audit events are written for key lifecycle actions including exercise creation, assignment, auto-start, pause/resume, and completion.