This Security Overview describes Cornerstone Strategy LLC's (doing business as Route X, 'we') approach to security, privacy, data protection, and management of external integrations in Route X's website and web application (the 'Service').
This page is intended to give individual coaches, clients, coaching firms, Organization Admins, affiliated coaches, corporate participants, and enterprise users (including HR, IT, information security, and legal personnel) a high-level understanding of our security approach. Please read it as a complement to our Terms of Service, Privacy Policy, Cookie Policy, Acceptable Use Policy, and any Data Processing Addendum or Subprocessor List we provide.
1. Our Security Approach
Route X handles information that requires careful handling, including coaching-related records, personal information, organizational information, scheduling information, and metadata related to external integrations. We recognize that coaching workflows may include sensitive interactions, client goals, reflections, and growth records, which can be sensitive in both personal and professional contexts.
We design Route X with security, privacy, and responsible data handling in mind. We aim to take reasonable measures to protect the information entrusted to us while providing a Service that is useful to individual coaches, coaching firms, and their clients and participants.
Security is a shared responsibility between us and our users. We work to operate the Service securely, and users (including coaches, clients, Organization Admins, and affiliated members) are responsible for using the Service in accordance with our policies, applicable law, and appropriate security practices.
This page provides a high-level overview of our security approach and is not intended to describe all of our internal controls and procedures, nor is it a complete or exhaustive description of our security program. Our practices may be reviewed and updated from time to time as the Service, our infrastructure, and the threat environment evolve.
2. Information We Protect
The categories of information that Route X intends to protect include, where applicable:
- Account information (email address, name, login identifiers, account status, etc.)
- Profile information (coaching profile, languages, timezone settings, etc.)
- Coaching session logs and notes
- Client goals
- Action items
- Reflection notes
- Growth records and journey data
- Booking and scheduling data (availability information, meeting metadata, etc.)
- Organizational and membership information (coaching firm structure, seats, member relationships, etc.)
- Billing and subscription identifiers, plan status, and related metadata
- External integration metadata (integration status, tokens used for communication with integrated services, etc.)
- Uploaded files and shared materials, where applicable
We recognize that coaching engagement content and information about clients, participants, and organizations can be sensitive. Route X is designed to handle only the data necessary to provide the Service and related features, and to use that data for appropriate purposes consistent with our Privacy Policy, Terms of Service, and applicable agreements.
3. Application and System Architecture
Route X is designed as a web application with a separated frontend and backend. The frontend is delivered to the user's browser, and application logic and data access run on a backend API operated by us.
Communications between the frontend and backend API are designed to use HTTPS/TLS encrypted communications. Application data is stored on managed database environments and cloud infrastructure operated by us or our hosting/storage providers.
To reduce security risk, we do not publicly disclose details of our internal architecture, network configuration, or low-level configuration settings. Coaching firms and enterprise customers requiring a reasonable security review for vendor evaluation may inquire about additional disclosures available subject to confidentiality obligations and applicable agreements.
4. Data Protection
Route X uses or is designed to use a combination of technical and operational measures to protect data, including:
- Encryption in transit. Communications between users' browsers, Route X's frontend, and the backend API are designed to use HTTPS/TLS.
- Encryption at rest. We use infrastructure-level protections including encryption at rest where supported by applicable databases, storage, and hosting infrastructure.
- Sensitive data handling. We design for appropriate handling of sensitive data, personal information, coaching-related information, and external integration data consistent with our Privacy Policy and applicable agreements.
- Access limitations. We seek to limit information access to users and personnel with an appropriate need, based on role, function, and business need.
- Data minimization. Route X is designed to collect and process only data necessary to provide the Service and related features, avoiding unnecessary collection or retention.
- Backup and recovery. We employ backup and recovery practices designed to support restoration of the Service and customer data in the event of operational issues, where supported by infrastructure.
No service can completely eliminate risk. These measures are intended to reduce, not eliminate, security risk. We will continue to assess and adjust these practices as the Service evolves.
5. Authentication and Access Control
Route X is designed to authenticate users before granting access to protected areas of the Service. Access to account, coaching, organizational, and billing features is restricted based on authentication and authorization.
Authentication and access controls in the Service include, where available:
- User login through credentials managed by us or via supported identity providers
- Session management intended to associate authenticated requests with the correct user and account context
- Password reset and account recovery flows, where available
- OAuth-based login or integration authorization, where supported by applicable identity or third-party providers
- Token management intended to limit exposure of access tokens and refresh tokens
- Logout and session invalidation, where applicable
- Account status controls such as account suspension, expiry, and blocking, where applicable
Users are responsible for keeping their credentials secure, using strong and unique passwords, and not sharing accounts or login information with unauthorized persons. We recommend enabling additional authentication options when made available by us from time to time.
6. Role-Based Permissions
Route X is designed to use role-based access control (RBAC) so that users can only access the appropriate data and features for their role. Roles supported or planned by the Service include, where applicable:
- Individual Coach(個人コーチ)
- Client(クライアント)
- Coaching Firm Admin(コーチングファーム管理者)
- Affiliated Coach(所属コーチ)
- Organization Admin(組織管理者)
- Corporate Participant(法人参加者)
- Platform Admin(限定された運用権限を持つ Route X 担当者)
Different roles have different screens, controls, and data visible within the Service. Not all users have access to all data. For example, clients are not designed to see another coach's confidential records, and affiliated coaches are not designed to access cross-organizational administrative features that should only be available to firm or organization administrators.
Coaching firms and organizations are responsible for assigning appropriate roles, regularly reviewing user access, and promptly removing or downgrading access when a member no longer requires it. Organization Admins and Coaching Firm Admins should manage member access, invitations, and permission changes consistent with their internal policies, applicable law, and contractual obligations.
7. Integration Security
Route X integrates or plans to integrate, where applicable, with third-party services including Google Calendar, Outlook Calendar, Microsoft Graph, Zoom, Google Meet, Stripe, email delivery services, storage services, and other third-party services to support coaching workflows.
Where supported by third-party providers, Route X is designed to use OAuth flows so that users can grant limited scoped permissions to us without sharing their passwords. In connection with these external integrations, we are implementing controls intended to:
- Handle OAuth access tokens and refresh tokens server-side rather than client-side, where applicable
- Prevent OAuth access or refresh tokens from appearing in frontend URLs, browser history, or client-side logs
- Limit integration permissions to the scopes necessary for providing the relevant feature
- Allow users to disconnect integrations and revoke previously granted permissions, where supported by third-party providers
Calendar integrations are used to calculate availability, avoid scheduling conflicts, and create or update calendar events based on user instructions through the Service. Route X does not use calendar integrations to display a coach's private calendar event titles, attendees, descriptions, or other private calendar details to clients or other users not authorized to view them. Clients see only the availability information and information that coaches or organizations choose to expose through the Service.
Use of connected third-party services may also be subject to those services' terms, privacy policies, and security practices. Please review relevant third-party provider policies as part of your own evaluation.
8. Payment Security
Payment processing for paid plans, subscriptions, and related billing operations may be handled by Stripe or similar third-party payment processors. Route X does not store full credit card numbers on our systems. Sensitive payment data is handled by the payment processor, which manages the underlying card data infrastructure.
Where applicable, payment methods, invoices, subscriptions, Billing Portal, and similar features may be managed through the payment processor. Route X is designed to receive limited billing-related metadata (plan status, customer identifiers, subscription state, etc.) necessary for operating the Service.
To maintain billing flow reliability and security, Route X uses or is designed to use controls such as:
- Webhook validation for messages received from the payment processor
- Synchronization of subscription state between Route X and the payment processor
- Processing of billing events to update plan, seat, and feature access in a controlled manner
These controls are intended to support secure and consistent billing operations, but do not in themselves guarantee the security of the broader payment ecosystem, which depends on the payment processor and your own payment environment.
9. File and Storage Security
Route X may allow users to upload, share, and store coaching-related files and materials such as worksheets, templates, reports, session-related documents, and reference materials. Storage may be provided by cloud storage providers we use.
Route X is designed to use access controls for uploaded or shared files, with access to files restricted based on account, role, organization, and authorization. Files should not be shared with users not authorized to receive them.
Users are responsible for:
- Having the rights to upload, share, and store the files and materials
- Having obtained necessary consent for information about clients, participants, and other individuals in files
- Avoiding uploading or sharing unnecessary or highly sensitive content
- Acceptable Use Policy and other applicable policies and agreements
Route X may introduce additional controls for file security, such as additional access restrictions, scanning, or content handling features, as the Service evolves.
10. Monitoring, Logging and Audit Trail
Route X may capture or retain logs and operational records to support Service operations, security, support, audit, troubleshooting, and improvement. Examples of events that may be logged or retained where available include:
- Authentication events (login/logout attempts, etc.)
- Administrative operations by Organization Admin, Coaching Firm Admin, or Platform Admin
- Organizational changes (adding members, role changes, removals, etc.)
- Role or permission changes
- Subscription and billing status changes
- External integration connection or disconnection events
- Security-related events (suspicious behavior, repeated failures, etc.)
- Error and performance logs for reliability and troubleshooting
Audit logs where available may help identify administrative actions, account changes, and security-related events. The scope, content, and availability of logs may vary by Service area and time, and not all operations are necessarily captured in formal audit logs.
Logs are used for internal operational and security purposes in accordance with applicable law and our Privacy Policy.
11. Secure Development Practices
We aim to identify and reduce security risks in the course of development and operations. Where available and applicable, our practices include:
- Code review or development review of changes to the Service
- Secret and credential management intended to prevent API keys, tokens, and other sensitive configuration from appearing in public repositories, client-side code, or logs
- Environment variable management for runtime configuration of the Service
- Dependency update tracking for third-party libraries used by the Service
- Security scanning of dependencies, code, or infrastructure where available
- Error handling intended to avoid exposing sensitive information in error messages
- Input validation and output processing to help reduce common application-layer risks
- API access controls including authentication and authorization checks on API endpoints
- Testing of changes before release consistent with our development process
We seek to avoid exposing credentials, secrets, and sensitive configuration in public repositories, client-side code, or logs. Security-relevant changes are reviewed as part of our development process. We expect to continue improving and expanding these practices as the Service grows.
12. Incident Response
Where we become aware of a suspected security incident affecting the Service, we will take steps to assess, contain, investigate, and remediate the matter as appropriate. Our general approach to incident response is as follows:
- Detection. Reviewing reports, alerts, and signals that may indicate a potential security issue.
- Assessment. Evaluating the nature, scope, and potential impact of the matter.
- Containment. Taking reasonable steps to limit the spread of impact and prevent additional harm.
- Investigation. Reviewing relevant systems, logs, and information to understand the matter.
- Remediation. Addressing root causes and restoring affected components.
- Notification. Notifying affected users, customers, or authorities where required by applicable law or contractual obligations.
- Review and improvement. Reviewing the incident and identifying improvements to reduce the likelihood of recurrence.
We do not publicly disclose detailed internal incident response procedures, detection rules, or operational details that could increase risk. Customers with specific contractual requirements regarding incident notification should refer to their applicable Data Processing Addendum or other written agreement.
13. Data Retention and Deletion
Data retention and deletion are handled in accordance with our Privacy Policy, Terms of Service, applicable Data Processing Addendum, other applicable agreements, and law.
General practice is as follows:
- Account data may be retained while the account is active.
- Certain records may be retained after account termination for legal, security, billing, audit, compliance, backup, or dispute resolution purposes.
- Deletion requests will be handled in accordance with our Privacy Policy and applicable law, taking into account legitimate retention needs.
- Backup copies may be retained for a period consistent with our backup and recovery practices until overwritten or deleted.
Specific retention periods, where set, are described in our Privacy Policy, Subscription, Cancellation & Refund Policy, applicable Data Processing Addendum, or other written agreements.
14. Third-Party Service Providers
To operate the Service, Route X may use third-party service providers for hosting, storage, payment, authentication, calendar integration, video conferencing, email delivery and communications, analytics, customer support, and related purposes. Categories of providers may include, where applicable:
- ホスティングプロバイダー
- クラウドストレージプロバイダー
- 決済処理業者(例:Stripe)
- カレンダープロバイダー(例:Google、Microsoft)
- ビデオ会議プロバイダー(例:Zoom、Google Meet)
- メール配信およびコミュニケーションプロバイダー
- 分析プロバイダー(有効化されている場合)
- カスタマーサポートツール(有効化されている場合)
- 特定の機能を支えるために利用されるその他類似のプロバイダー
Third-party providers may process data according to their own terms, privacy policies, and security practices. We aim to use providers we consider appropriate for each function, but we do not control those providers' internal operations.
Route X may maintain or provide a Subprocessor List or subprocessor information where applicable, particularly for coaching firms and enterprise customers with vendor management requirements. Where a Data Processing Addendum applies, it will describe how subprocessors are handled in more detail.
15. Customer Responsibilities
Security is a shared responsibility between us and our customers. While we implement the controls described above, the security of accounts, organizations, and coaching engagements depends on how customers, coaches, clients, Organization Admins, and affiliated members use the Service.
Customers and users are specifically responsible for:
- Using strong, unique passwords for Route X accounts and connected services
- Keeping credentials confidential and not sharing accounts with unauthorized persons
- Promptly removing or deactivating users who no longer need access (including employees, contractors, or affiliated coaches who have left the organization)
- Regularly reviewing roles and permissions for members of the organization or coaching firm
- Appropriately managing organizational members, invitations, and seat allocations
- Only connecting third-party accounts (calendar, video conferencing tools, payment accounts, storage accounts, etc.) to which the user is authorized
- Avoiding unnecessary storage of highly sensitive information in the Service, including information not required for providing coaching services
- Obtaining necessary consent and authorization before entering or sharing information about clients, participants, or third parties
- Promptly reporting suspected unauthorized access, account compromise, or other security issues to us
- Terms of Service, Privacy Policy, Acceptable Use Policy and applicable law
Coaching firms, enterprise customers, Organization Admins, and Coaching Firm Admins are responsible for managing access for their members, affiliated coaches, clients, and participants — assigning appropriate roles, reviewing access over time, and promptly revoking access when no longer needed.
16. Security Contact
For security questions, concerns, or to report a suspected security issue, please contact:
When reporting a potential issue, please provide sufficient detail for us to evaluate the report, such as a description of the issue, the area of the Service affected, the date and time observed, and relevant context. We may follow up with additional questions during our review.
