We will not claim a certification we haven't earned.
We're a young company. So here's what's actually true today, in plain English, not in checkboxes, about how Midfield protects your members and your organization.
Your card data never touches us.
Our payment processor handles every checkout: card entry, tokenization, storage. Midfield only holds tokenized references. If you can pay safely with cards on the modern web, you can pay safely on Midfield.
Your data exports cleanly when you ask.
No proprietary lock-in. No surcharge to leave. Members, payments, forms, audit history: all exportable on request, in open standard files. The data is yours; we just host it.
Your audit trail is real, not theater.
Every change a registrar makes (refunds, scholarship awards, role grants, form signatures) is logged in a history we cannot quietly edit after the fact. Your treasurer and your board can verify the trail any time.
Your members decide who sees medical info.
Medical and PHI fields are opt-in per record. Coaches, registrars, and state administrators do not see them unless the member says yes. Members can revoke at any time without losing the record.
Your state administrators see aggregates, not PII.
Midfield was designed for state→region→club hierarchies from day one. State-level users see roll-up dashboards. Per-member information stays inside the club where it belongs.
How Midfield is built
Eight things we got right from the start.
None of these is a badge you bolt on later. They're foundational choices baked into the data model and the product, described here as they actually work today.
Tenant isolation
One org cannot see another org’s data.
Every record in Midfield carries the org it belongs to, and the database enforces that boundary at the row level on every read and every write, not just in application code that a bug could skip. A registrar at one org queries only that org’s members, payments, and forms. There is no shared list everyone can browse.
Payment security
Card numbers never touch our servers.
Checkout runs through our payment processor. Card entry, tokenization, and storage all happen on their PCI-DSS infrastructure; Midfield only ever holds a tokenized reference. A card number cannot leak from us because we never receive one in the first place.
E-signature compliance
Signatures built to hold up.
Our forms and e-signatures are designed to meet the federal ESIGN Act and state UETA requirements for legally binding electronic signatures. Each signed envelope keeps an audit trail (who signed, when, and from where) so a completed waiver or medical-release form can be verified later.
Child safety
Background checks and SafeSport, tracked.
Midfield tracks SafeSport status and background-check status for the staff and coaches working with kids, with expiration dates surfaced before they lapse. Registrars can see at a glance who is cleared and who is not, instead of chasing paperwork across a spreadsheet and an inbox.
Audit trail
A history we cannot quietly rewrite.
Sensitive actions (refunds, scholarship awards, role grants, form signatures, consent changes) are written to an append-only audit log. Entries are not editable or deletable after the fact, so your treasurer, your board, or an auditor can verify what happened and who did it.
Access control
People see only what their role allows.
Permissions are role-based: a coach, a registrar, a treasurer, and a state administrator each see a different slice of the org. Sensitive roles (treasurer, registrar, and state-level access) require multi-factor authentication when the role is granted.
Data ownership
Your data leaves as cleanly as it arrived.
Members, registrations, payments, forms, and audit history export to open, standard files whenever you ask. No proprietary format, no surcharge to leave, no lock-in. The data is yours; we just host it.
Privacy
We collect what we need, and no more.
Midfield is built around minimizing the personal information we hold. Medical and sensitive fields are opt-in per record and shared only with the people a member chooses. State-level administrators see roll-up dashboards, not per-member details.
Want the legal detail on fees, data, and how the platform works? Read the Terms of Service.
In progress
We're working toward SOC 2.
We won't put a SOC 2 badge in our footer until we've signed an actual report. If your state association or InfoSec team needs the full architecture detail for an RFP, we have a longer document we can share under NDA. Just ask.
Found something off?
Email security@midfieldhq.com with how to reproduce the issue. We'll respond within two business days and keep you in the loop until the fix ships. Please don't test in production tenants. We'll spin up a staging one for you.
Still have questions? We're one email away.