6 Jul





 min read

Vanta Leagues Platform Security Whitepaper

No items found.

Security at Vanta is our primary concern, we are confident in saying we are the most secure esports platform on the market. Read on for more information regarding our privacy and platform security features.


Vanta primarily focuses on three types of users:

  • Parents
  • Schools
  • Gamers


We verify parents identity using Real ID - all parents joining the platform are required to provide a form of government identification. We require this to verify that the parent is who they say they are. Our provider for this service is Plaid, a leader in the space.


Using SheerID we verify that administrators are who they say they are - employees of a particular school in the United States. All school admins are therefore required to provide either a school identification or a pay stub.


Gamers must be invited to the platform either by a parent or school administrator. Gamers can not join the platform on their own volition or participate in activities without notice to a parent or school administrator.

When it comes to the collection of personal information from children under 13, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, the nation’s consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online.

For example, if your company is covered by COPPA, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13.

Effective July 1, 2013, the FTC updated the COPPA Rule to reflect changes in technology. Violations can result in law enforcement actions, including civil penalties, so compliance counts.

Each of these is considered personal information under COPPA:

  • full name;
  • home or other physical address, including street name and city or town;
  • online contact information like an email address or other identifier that permits someone to contact a person directly — for example, an IM identifier, VoIP identifier, or video chat identifier;
  • screen name or user name where it functions as online contact information;
  • telephone number;
  • Social Security number;
  • a persistent identifier that can be used to recognize a user over time and across different sites, including a cookie number, an IP address, a processor or device serial number, or a unique device identifier;
  • a photo, video, or audio file containing a child’s image or voice; geolocation information sufficient to identify a street name and city or town; or other information about the child or parent that is collected from the child and is combined with one of these identifiers.

PII - Personally identifiable information

The following information is collected and used solely to provide the services necessary:

  • email
  • first name(when available)
  • last name(when available)
  • last ip address

We will also attach minimal data to your profile such as:

  • Bio(when available)
  • Address(when available)
  • Username(when available)

User actions

Users are allowed to perform actions based on their roles within the platform:

Authentication Process

Signup process:

Signup process within platform repositories and platforms: NextJS → Auth0 → Role form → Register user on Rails API → Get JWT back

Sign up role flow:

  1. Child?
  2. Under 13? Invite your parent. End;
  3. Over 13? Move to next step;
  4. School? Go to SheerID:
  5. You have an ID: Move to next step;
  6. You don't have an ID: End;
  7. Parent? Go to Cognito:
  8. You are real: Move to next step;
  9. You aren't real: End;

Spread the word.

Vanta BLOG