ScoreBreak SOC2 Type 2
Thank you for your business. Please email support@scorebreak.io for any additional requests.
ScoreBreak, Inc.
Contents
- 0. Executive Summary
- I. Independent Service Auditor's Report
- II. ScoreBreak, Inc.'s Assertion
- III. ScoreBreak, Inc.'s Description of its Sports Analytics System
- IV. Description of Control Objectives and Related Controls, and Independent Service Auditor's Description of Tests of Controls and Results
- V. Management Letter of Recommendations
0. Executive Summary
ScoreBreak, Inc. engaged an independent service auditor to perform a SOC 2 Type 2 examination of its Sports Analytics System for the period January 1, 2024 to December 31, 2024. The examination focused on the Trust Services Criteria for Security, Availability, Confidentiality, Processing Integrity, and Privacy.
- The independent auditor issued an unqualified opinion, confirming that ScoreBreak’s system description was fairly presented and that controls were suitably designed and operated effectively throughout the period.
- All control objectives were tested, including logical access, encryption, system availability, confidentiality protections, data processing integrity, and privacy practices.
- No exceptions were noted in the design or operating effectiveness of controls.
- The report confirms that ScoreBreak’s system supports secure, reliable, and confidential delivery of services to its customers.
I. Independent Service Auditor's Report
To: Management of ScoreBreak, Inc.
Scope
We have examined ScoreBreak, Inc.'s accompanying description of its Sports Analytics System for processing user entities’ transactions throughout the period January 1, 2024 to December 31, 2024 (the “description”) and the suitability of the design and operating effectiveness of controls included in the description to achieve the related control objectives stated therein, based on the criteria identified in ScoreBreak, Inc.'s Assertion. The controls and objectives included in the description are those that management of ScoreBreak, Inc. believes are likely to be relevant to user entities’ internal control over financial reporting. The description does not include those aspects of the Sports Analytics System that are not likely to be relevant to user entities’ internal control over financial reporting.
ScoreBreak, Inc.'s Responsibilities
Management is responsible for preparing the description and assertion, including their completeness, accuracy, and method of presentation; for providing the services covered by the description; for specifying the control objectives and identifying the related risks; and for designing, implementing, and documenting controls that are suitably designed and operating effectively to achieve the stated objectives.
Service Auditor's Responsibilities
Our responsibility is to express an opinion on the fairness of the presentation of the description and on the suitability of the design and operating effectiveness of the controls to achieve the related objectives. We conducted our examination in accordance with attestation standards established by the American Institute of Certified Public Accountants (AICPA). Those standards require that we plan and perform the examination to obtain reasonable assurance about whether, in all material respects, the description is fairly presented and the controls were suitably designed and operating effectively throughout the period.
Inherent Limitations
The description is prepared to meet the common needs of a broad range of user entities and their auditors. It may not include every aspect of the system that each individual user entity may consider important in its own environment. Because of their nature, controls at a service organization may not prevent, or detect and correct, all errors or omissions. Further, any projection of the results of an evaluation to future periods is subject to the risk that controls may become ineffective.
Opinion
In our opinion, in all material respects, based on the criteria described in ScoreBreak, Inc.'s assertion:
- The description fairly presents the Sports Analytics System that was designed and implemented throughout the period January 1, 2024 to December 31, 2024.
- The controls related to the control objectives stated in the description were suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period.
- The controls tested, which were those necessary to provide reasonable assurance that the objectives stated in the description were achieved, operated effectively throughout the period.
Description of Tests of Controls
The specific controls tested and the nature, timing, and results of those tests are provided in Section IV of this report.
Restricted Use
This report, including the description of tests of controls and results in Section IV, is intended solely for the information and use of ScoreBreak, Inc., its user entities during some or all of the period January 1, 2024 to December 31, 2024, and their auditors. It is not intended to be, and should not be, used by anyone other than these specified parties.
II. ScoreBreak, Inc.'s Assertion
We have prepared the description of ScoreBreak, Inc.'s Sports Analytics System for user entities and their auditors for the period January 1, 2024 to December 31, 2024.
To the best of our knowledge and belief:
- The description fairly presents the Sports Analytics System during the period, including how services were designed and implemented to process relevant transactions, the procedures involved, and the control objectives and controls in place.
- The controls related to the stated objectives were suitably designed and operated effectively throughout the period.
III. ScoreBreak, Inc.'s Description of its Sports Analytics System
Company Overview
ScoreBreak, Inc. is a leading provider of sports analytics software and services. Our Sports Analytics System offers real-time data analysis, performance metrics, and predictive modeling for professional and collegiate sports teams. Founded in 2015, ScoreBreak is headquartered in Denver, Colorado, with additional offices.
Services Provided
- Data Collection
- Real-time Analytics
- Performance Tracking
- Predictive Modeling
- Customized Reporting
- Data Visualization
System Infrastructure
Hosted on Google Cloud Platform using Compute Engine, Cloud SQL, BigQuery, Cloud CDN, Load Balancing, and Cloud Monitoring.
Data Flow and Processing
- Data Ingestion
- Data Processing
- Analytics Engine
- Results Storage
- Reporting and Visualization
Control Environment
Includes organizational structure, management philosophy, HR practices, risk assessment, communication, and monitoring.
Control Objectives
- Information Security
- Data Availability
- Data Confidentiality
- Data Processing Integrity
- Privacy
Complementary User Entity Controls
- User entities must manage credentials, ensure data accuracy, notify of security incidents, and review analytics.
IV. Description of Control Objectives, Related Controls, and Auditor’s Tests
Control Objective 1: Information Security
| Control Activity | Tests Performed | Results of Tests |
|---|---|---|
| 1.1 Logical access to systems, applications, and data is restricted to authorized individuals based on job function. | Inspected access control policies and procedures. Examined a sample of user access rights and compared them to job responsibilities. Observed the process for granting and revoking access. | No exceptions noted. |
| 1.2 Multi-factor authentication is required for all remote access to the system. | Inspected system configurations for remote access settings. Attempted to access the system remotely without multi-factor authentication. | No exceptions noted. |
| 1.3 Firewalls and intrusion detection/prevention systems are implemented and configured to restrict inbound and outbound network traffic. | Reviewed firewall and IDS/IPS configurations. Examined a sample of firewall logs and alert notifications. | No exceptions noted. |
| 1.4 All system components are regularly updated with the latest security patches. | Inspected patch management policies and procedures. Examined system logs to verify timely application of security patches. | No exceptions noted. |
| 1.5 Encryption is used for data transmission over external networks and for sensitive data at rest. | Reviewed encryption policies and examined system configurations for data in transit and at rest. Observed encrypted connections during data transmission. | No exceptions noted. |
Control Objective 2: Data Availability
| Control Activity | Tests Performed | Results of Tests |
|---|---|---|
| 2.1 System performance and capacity are monitored and projections of future capacity requirements are made. | Reviewed monitoring tools and capacity planning documents. Examined a sample of performance reports and capacity projections. | No exceptions noted. |
| 2.2 Data is backed up regularly and stored in geographically diverse locations. | Inspected backup policies and procedures. Examined backup logs and tested the restoration process for a sample of backups. | No exceptions noted. |
| 2.3 A business continuity and disaster recovery plan is documented, tested, and updated regularly. | Reviewed the BCP/DR plan and test results. Observed a simulated disaster recovery exercise. | No exceptions noted. |
| 2.4 Redundant infrastructure components are implemented to ensure high availability. | Inspected system architecture diagrams and configurations for redundant components. Tested failover procedures for critical systems. | No exceptions noted. |
Control Objective 3: Data Confidentiality
| Control Activity | Tests Performed | Results of Tests |
|---|---|---|
| 3.1 Confidentiality agreements are in place with employees, contractors, and third-party service providers. | Reviewed a sample of confidentiality agreements. Verified that all current employees and contractors have signed agreements. | No exceptions noted. |
| 3.2 Access to confidential data is restricted based on the principle of least privilege and business need. | Examined access control lists and user permissions for systems containing confidential data. Reviewed the process for granting and reviewing access to confidential data. | No exceptions noted. |
| 3.3 Data classification policies and procedures are implemented to identify and protect confidential information. | Inspected data classification policies and procedures. Tested the classification process for a sample of data sets. | No exceptions noted. |
| 3.4 Confidential data is securely disposed of when no longer needed. | Reviewed data disposal policies and procedures. Observed the secure disposal process for electronic and physical media. | No exceptions noted. |
Control Objective 4: Data Processing Integrity
| Control Activity | Tests Performed | Results of Tests |
|---|---|---|
| 4.1 Input data is validated for accuracy and completeness. | Inspected validation rules and logs; tested samples of data ingested. | No exceptions noted. |
| 4.2 Automated and manual reconciliation processes ensure completeness of processing. | Reviewed reconciliation procedures and observed execution. | No exceptions noted. |
| 4.3 Error handling and correction processes are documented and followed. | Examined incident logs and observed remediation procedures. | No exceptions noted. |
| 4.4 Change management procedures ensure only authorized changes are implemented. | Inspected change management tickets and approvals. | No exceptions noted. |
Control Objective 5: Privacy
| Control Activity | Tests Performed | Results of Tests |
|---|---|---|
| 5.1 Collection and use of personal data aligns with the published privacy notice. | Reviewed privacy notice and sampled data collection practices. | No exceptions noted. |
| 5.2 Access to personal information is restricted based on business need. | Examined access logs and reviewed user roles. | No exceptions noted. |
| 5.3 Retention and disposal policies for personal information are followed. | Inspected retention schedules and verified sample disposals. | No exceptions noted. |
| 5.4 Disclosures of personal information to third parties are authorized and monitored. | Reviewed contracts and third-party data sharing logs. | No exceptions noted. |
V. Management Letter of Recommendations
To: Management of ScoreBreak, Inc.
In connection with our examination of ScoreBreak, Inc.’s Sports Analytics System and related controls, we identified opportunities for enhancing the design and operation of existing practices. While these recommendations do not represent exceptions or deficiencies that impacted our opinion, we believe their implementation may strengthen ScoreBreak, Inc.’s control environment and provide additional assurance to user entities.
1. Information Security
Although logical access, multi-factor authentication, and encryption controls were effective, ScoreBreak may benefit from expanding penetration testing frequency and incorporating third-party red team exercises.
2. Data Availability
Disaster recovery testing was observed and effective. We recommend simulating multi-region failure scenarios and documenting recovery times achieved in these exercises.
3. Data Confidentiality
Confidentiality agreements and least privilege controls are consistently applied. Management may consider automating periodic access reviews to reduce reliance on manual oversight and provide stronger audit trails.
4. Data Processing Integrity
Error handling and reconciliation processes are effective. We recommend enhancing the change management process by integrating automated rollback testing within the deployment pipeline.
5. Privacy
Privacy practices are aligned with ScoreBreak’s published notice. Expanding privacy training for employees with role-specific scenarios (e.g., data scientists, customer support staff) would further strengthen compliance with evolving regulations.
Conclusion
We commend ScoreBreak, Inc. for maintaining a strong control environment and achieving operating effectiveness across all relevant Trust Services Criteria. The recommendations above are intended to provide practical opportunities for strengthening controls, fostering continuous improvement, and demonstrating proactive governance to user entities.