Skip to main content

Trust

Security and privacy at Currents.

Your members trust your club with their data. Your club, in turn, trusts us. This page sets out, plainly, how we honour that.

Last updated · May 2026

Currents is the operating layer for premium private golf clubs. We are built on infrastructure where every underlying provider is independently audited to the highest standards: SOC 2 Type II, ISO 27001, and PCI DSS Level 1. Your club’s data is encrypted at rest with AES-256 and in transit with TLS, and it stays in your region. Card data is tokenised at the point of entry by Stripe and never touches our servers.

We offer two ways to sync with your existing tee sheet. The first is a secure, industry-standard credential-based integration where your club provides login details for Currents to sync automatically on your behalf. The second is a zero-knowledge integration through a Chrome extension that operates entirely within your operator’s own authenticated session — no credentials are ever shared with or stored by Currents. We are also actively seeking direct API integrations with existing tee sheet providers to offer an even more seamless connection.

If you would like the detail behind any of that, the rest of this page is for you.

01 · Infrastructure

What Currents is built on.

We did not build our own database, our own authentication, or our own payment processor. We chose the modern best-in-class for each, and inherited their compliance posture. Every provider below is independently audited.

We chose this stack because elite private clubs hold their members’ data, and the substrate has to be defensible.

02 · Data residency

Your data does not leave its region.

Australian club data sits in the Sydney region of Supabase’s infrastructure (ap-southeast-2 on the underlying AWS footprint). UK and Ireland data is provisioned in London (lon-1) for clubs based there. United States data, when required for the small number of US-based reciprocal arrangements, sits in Oregon (us-west-1).

Data does not move between regions without explicit configuration. The Currents application layer, hosted on Vercel’s edge network, serves cached static content globally for performance, but database queries always return to the region where your club’s data lives.

All data is encrypted at rest with AES-256 and in transit with TLS. Daily automated backups are taken with point-in-time recovery available within the retention window. Backup data is encrypted with the same key management as the primary database.

Australia · New Zealand
Sydney (ap-southeast-2)
United Kingdom · Ireland
London (lon-1)
United States
Oregon (us-west-1)
03 · Payments

Card data never touches our servers.

Cardholder data is tokenised at the point of entry by Stripe Elements. The raw card number, expiry, and CVC are submitted directly from the golfer’s browser to Stripe, which holds PCI DSS Level 1, the highest service-provider tier. What we receive back is a token: a meaningless reference string that can be used to charge the card later, but cannot be reverse-engineered into the underlying number.

This means Currents itself operates at PCI compliance scope SAQ-A, the lightest possible scope, because we have fully outsourced cardholder data handling. We do not store card numbers in any form, encrypted or otherwise.

We support 3D Secure 2 (3DS2) by default on all visitor card payments. When a golfer is authenticated by their issuing bank during the booking, chargeback liability shifts from your club to the issuing bank under Visa, Mastercard, and Amex liability shift rules. This materially reduces club exposure to friendly-fraud chargebacks from international visitors.

Refunds and chargebacks are handled through Stripe’s standard workflow with the club as the merchant of record. Your club receives the full green fee at booking time.

04 · Tee sheet integration

Your credentials. Your session. Your control.

Currents syncs with your existing tee sheet software through a Chrome browser extension that operates inside your own authenticated session, using your own operator credentials. We do not hold those credentials at any point. We do not store them. We do not transmit them to our servers.

When your operator is logged into your tee sheet software through their browser, the extension receives instructions from Currents — for example, which bookings to place — and carries them out inside that authenticated session, just as your operator would manually. No tee sheet data is sent back from your computer to Currents. The extension does not read or transmit your tee sheet’s internal data, member lists, or booking records to our servers. It only acts on the instructions it receives, within the session your operator already has open.

The extension is bounded by the same access your operator has when they log in directly. If your operator’s tee sheet access is revoked, the sync stops immediately and unilaterally. The control sits with your club.

This is a structurally more secure model than any shared-credential or back-channel API integration would be. The only stronger model would be a published OAuth-based developer API from your tee sheet provider, and we would happily migrate to that when it exists. Until then, this approach gives your club the same access the integration has, with no third-party storage of operator credentials anywhere in the chain.

Source code is reviewed by Currents engineering before each release. The extension cannot access anything outside the authenticated tee sheet session.

  1. Your operator
  2. Your tee sheetauthenticated session
  3. Extension acts
  4. Currentsper-club API

No credentials stored at Currents. No internal data transmitted back. Revocable at any time by your club.

05 · Authentication

Modern auth, built in.

Authentication is handled by Kinde, an Australian-based authentication provider. Kinde holds SOC 2 Type II attestation from AssuranceLab and ISO 27001:2022 registration.

Multi-factor authentication is available on every Currents login. Supported methods include time-based one-time passwords (Google Authenticator, Authy, 1Password), SMS, and passwordless email magic links. For clubs that operate their own identity provider, single sign-on via SAML 2.0 is available.

Access within Currents is governed by role-based access control. Each club has its own administrator who manages staff access and permissions. Operator activity is logged at the database level.

Currents engineering and support staff have access to production systems only through audited workflows. All staff access events are logged.

06 · Privacy

Privacy is a default, not a feature.

Currents complies with the Australian Privacy Act 1988 and the Australian Privacy Principles by default for all Australian clubs and Australian-resident golfers. For UK and Ireland operations, UK GDPR applies, with data resident in the London region as described above.

Personal data we collect from golfers includes name, contact details, home club, and (with their consent) Golf Australia ID or equivalent international handicapping ID. We do not collect health information. We do not sell, share, or commercially exploit member data, ever.

Your club is the controller of your members’ personal data. Currents acts as a processor under your controller relationship. The terms of our processing are set out in the data processing agreement that accompanies your Master Services Agreement.

07 · Frequently asked

Questions club managers ask.

How is our member data protected?

Through our proposed integration, Currents does not receive or have any information relating to non-visitor bookings or players.

How is our data stored in Currents protected?

All data is encrypted at rest with AES-256 and in transit with TLS. Database hosting is on Supabase in the Sydney region for Australian clubs, with underlying compliance including SOC 2 Type II, ISO 27001, HIPAA, and PCI DSS. Authentication is handled by Kinde with its own SOC 2 Type II and ISO 27001:2022 attestation.

Where is our data stored?

Australian club data is in Sydney (Supabase ap-southeast-2). UK and Ireland in London (lon-1). US data when required in Oregon (us-west-1). Data does not move between regions without explicit configuration.

How does the tee sheet sync work, and is it secure?

A Chrome extension installed on the workstation of authorised club operators. When the operator is logged into the tee sheet through their browser, the extension receives data relating to Currents bookings, and automates user input within that authenticated session. We do not store credentials. We do not transmit credentials or internal data to Currents. The integration is bounded by the same access the operator has when they log in directly. Revocation is unilateral and immediate.

Who at Currents can access our club's data?

Access is controlled via role-based access control provided by Kinde. Each club has its own administrator who configures staff access. Currents engineering and support staff access production systems only through audited workflows. All access events are logged.

What payment processor do you use?

Stripe. Stripe holds PCI DSS Level 1, the highest service-provider tier. Card data is tokenised at point of entry and never touches Currents servers. 3D Secure 2 is supported by default, providing chargeback liability shift to the issuing bank.

Do you support two-factor authentication?

Yes. MFA is available on every Currents login. Methods supported include TOTP (authenticator apps), SMS, and passwordless email magic links. SAML single sign-on is supported for clubs with their own identity provider.

Is our data ever shared with third parties?

Member data is not sold, shared, or commercially exploited. We use a small number of subprocessors to deliver the service (database hosting, authentication, payment processing, transactional email). Each subprocessor is listed in the data processing agreement that accompanies your Master Services Agreement, and each holds its own independent compliance attestations as described in Section 1 above.

How do we get the detail for our board or IT team?

Speak to your Currents account contact. The Master Services Agreement and accompanying data processing agreement set out the contractual detail, and we can provide additional documentation about the substrate providers on request.

Last updated · May 2026