TRIS Recruiting Intelligence
Back to Home

Data Governance Policy

How TRIS collects, classifies, stores, processes, shares, and protects data across our platform.

Effective February 1, 2026 | Last updated: February 2026

This Data Governance Policy describes the principles, practices, and controls that govern how Tygtal Recruiting Intelligence Services (“TRIS”) manages data throughout its lifecycle -- from collection through deletion. This policy applies to all data processed by the TRIS platform, including subscriber account data, prospect evaluation data, and operational data.

1. Data Classification

TRIS classifies all data into four tiers, each with distinct handling requirements:

Tier 1 -- Public

Data available to any user of the platform. Includes prospect names, positions, high schools, graduation years, cities, and states. This data is derived from publicly available sources.

Tier 2 -- Subscriber-Restricted

Data available only to authenticated, subscribing coaching staff. Includes TRIS Composite Scores, position skill grades, athletic testing data, physical measurables, and evaluation narratives. Access requires active subscription and verified institutional credentials.

Tier 3 -- Sensitive / Coach-Only

Data restricted to authorized coaching staff designated by the program administrator. Includes family and home-life context, character trait assessments, behavioral risk factors, injury observations, and NIL financial projections. This tier cannot be accessed by general staff users.

Tier 4 -- Internal / Operational

Data accessible only to TRIS internal personnel. Includes raw evaluator field notes, internal scoring calibration data, agent performance metrics, and system administration logs. This data is never exposed to subscribers.

2. Data Collection Practices

Subscriber Account Data

Collected during registration and subscription management. Includes staff names, institutional email addresses, job titles, institution names, department, and billing information. Billing data (credit card numbers, ACH details) is processed by Stripe and is never stored on TRIS servers.

Prospect Evaluation Data

Collected by TRIS field agents at publicly accessible athletic events. Includes physical measurables, athletic testing results, position-specific skill grades, character and behavioral observations, game film notes, projection assessments, and NIL market indicators from public social media. All data is generated by TRIS evaluators -- not sourced from educational institutions, private records, or purchased datasets.

Platform Usage Data

Automatically collected through platform interaction. Includes pages viewed, search queries, filter usage, prospect profile views, feature usage frequency, session duration, device type, and browser information. Used exclusively to improve platform functionality and user experience. Never sold or shared with third parties for advertising.

Data We Do Not Collect

  • Academic transcripts, GPA, class rank, standardized test scores, or any education records as defined by FERPA
  • Medical records, injury treatment records, or health information maintained by schools or medical providers
  • Social Security numbers, driver's license numbers, or government-issued identification numbers
  • Private communications between athletes, families, coaches, or institutions
  • Data from minors under 13 years of age (COPPA compliance)

3. Data Storage & Infrastructure

  • All data is processed and stored within the United States on SOC 2 Type II compliant infrastructure
  • Production databases are hosted on enterprise-grade cloud infrastructure with 99.99% uptime SLA
  • Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3
  • Database access requires multi-factor authentication and is restricted to essential engineering personnel
  • Infrastructure access is logged and auditable -- no single employee has unrestricted access to production data
  • Automated encrypted backups are performed every 6 hours and retained for 30 days
  • Backup data is stored in geographically separate data centers for disaster recovery
  • Annual third-party penetration testing and quarterly vulnerability assessments are conducted

4. Access Controls & Permissions

Subscriber Access

  • Each staff member receives an individual account tied to their verified institutional email
  • Program administrators control who has access and can add, modify, or revoke access at any time
  • Role-based permissions determine data visibility (e.g., recruiting director sees all positions; position coaches see filtered views)
  • Sensitive Tier 3 data is only visible to users explicitly authorized by the program administrator
  • Sessions automatically expire after 30 minutes of inactivity
  • All login events, data views, and export actions are logged for audit purposes

Field Agent Access

  • Agents access only the evaluation interface and their own submitted evaluations
  • Agents cannot view other agents' evaluations, subscriber lists, or program-specific data
  • Agents submit all data through the TRIS platform -- no local storage of prospect data is permitted
  • Agent access is revoked immediately upon termination or compliance violation

Internal Personnel Access

  • TRIS employees access production data only as required for their job function
  • All internal access requires MFA and is logged with user, timestamp, and action performed
  • Customer support staff can view account metadata but cannot access evaluation content without explicit permission
  • Engineering access to production databases requires approval from a senior team member

5. Data Accuracy & Quality

TRIS evaluations represent a point-in-time assessment by a credentialed field agent. We take data quality seriously but acknowledge inherent limitations:

  • All athletic testing data is labeled with its verification level: Verified (TRIS-measured), Coach-Verified, Self-Reported, or N/A
  • Composite scores are algorithmically generated from evaluator inputs -- they are not subjective star ratings
  • Prospect profiles are updated when new evaluations are completed; historical evaluations are preserved for trend analysis
  • Subscribing programs can flag suspected inaccuracies for review by the TRIS evaluation team
  • TRIS does not guarantee the accuracy of self-reported metrics and clearly labels them as such
  • Projection models and scheme fit analyses are predictive tools based on current data -- they are not guarantees of future performance

6. Data Sharing & Third Parties

TRIS does not sell prospect data or subscriber information to any third party. Data is shared only in the following limited circumstances:

Subscribing Institutional Programs

Evaluation data is made available to authenticated coaching staff at subscribing programs. Each program sees the same core evaluation data; program-specific customizations (watchlists, notes, tags) are visible only to that program.

Infrastructure Service Providers

We use third-party services for hosting (Vercel, cloud infrastructure), database (Supabase), payment processing (Stripe), and transactional email. These providers are bound by data processing agreements and do not have independent use rights to TRIS data.

Legal Requirements

We may disclose data if required by law, subpoena, court order, or valid legal process. We will notify affected subscribers of such requests unless legally prohibited from doing so.

We never share data with: media outlets, recruiting aggregators, fan-facing scouting websites, betting platforms, agents, NIL collectives, boosters, or any non-institutional party.

7. Data Retention & Deletion

Prospect Evaluation Data

Retained for the duration of the athlete's eligibility window (typically 5 years from high school graduation) plus one additional year. This retention period serves multiple subscribing programs that may evaluate the same prospects at different stages of their eligibility. After the retention period, prospect data is anonymized or deleted.

Subscriber Account Data

Retained for the duration of the subscription plus 90 days. Upon cancellation, program-specific data (watchlists, notes, custom tags, staff accounts) is deleted within 90 days. Billing records are retained for 7 years for tax and audit compliance as required by law.

Deletion Requests

Subscribing programs may request deletion of their program-specific data at any time. Athletes, parents, or legal guardians may request review or deletion of an athlete's profile by submitting a verified request to privacy@trissystems.com. Verified deletion requests are processed within 30 business days.

8. Incident Response

In the event of a data breach or security incident, TRIS follows a structured incident response process:

  • Immediately contain the incident and secure affected systems
  • Investigate the scope, impact, and root cause within 24 hours
  • Notify affected subscribers within 72 hours of confirmed breach involving their data
  • Notify relevant regulatory authorities as required by applicable law
  • Provide affected parties with a detailed incident report including remediation steps
  • Conduct post-incident review and implement preventive measures
  • Maintain incident logs for a minimum of 3 years

9. Policy Updates

This Data Governance Policy is reviewed and updated at least annually. Material changes will be communicated to active subscribers via email notification at least 30 days before taking effect. Continued use of the platform after the effective date of changes constitutes acceptance of the updated policy. Previous versions are archived and available upon request.

FERPA Compliance

Student-athlete education record protections

NCAA Alignment

How we operate within NCAA bylaw boundaries

Privacy Policy

Full privacy policy for all users

Data governance questions? Contact our data governance team at our contact page or email privacy@trissystems.com. We can provide detailed documentation for compliance review.