Privacy and Security Documentation
GYOCC Official Member Portal
This page explains how GYOCC Official handles member data and how the app's safeguards align with the NIST Confidentiality, Integrity, and Availability triad and the NIST Cybersecurity Framework functions: Identify, Protect, Detect, Respond, and Recover.
This is a public privacy and security statement for the app. It describes the current application behavior and security approach; it is not a claim of formal NIST certification.
- App
- GYOCC Official
- Audience
- Registered GYOCC members and authorized administrators
- Primary data use
- Membership, schedules, attendance, reminders, alerts, and administrative operations
- Last updated
- July 1, 2026
1. Scope and app behavior
GYOCC Official is a member portal for GYOCC operations. It is not a public social network, marketplace, or open registration system. The app supports the day-to-day workflows members and authorized staff need for membership, rehearsal, event, attendance, notification, and administrative coordination.
- Members sign in with email/password or Google authentication.
- Members can view their profile, membership details, schedules, attendance history, reminders, alerts, and earnings information.
- Members can RSVP, clock in, clock out where required, and submit attendance-related information for assigned activities.
- Administrators manage membership, rehearsals, gigs, events, roles, permissions, notifications, reports, equipment, expenses, lessons, and stipends through authenticated tools.
- The app is intended for registered GYOCC members and authorized organization administrators, not for general public account creation.
2. Data handled by the app
GYOCC Official uses information needed to run the member portal, support attendance workflows, deliver reminders, and let authorized staff administer organization records.
- Account identity, such as name, email address, profile photo, email verification status, and sign-in session state.
- Member profile details, such as section, rank, level, voice part or instrument, membership status, join date, and optional phone number.
- Choir, orchestra, and event activity data, including rehearsals, gigs, events, RSVP status, roles, venues, attendance, clock-in and clock-out times, lateness, early leave records, and excuse review status.
- Member portal records, including attendance history, upcoming schedules, earnings or stipend summaries, and reminder preferences.
- Notification data, including in-app notifications, read status, Expo push tokens, platform, device identifier, and last-seen timestamps used to deliver alerts.
- Administrative and security records, including role assignments, permission checks, audit log entries, IP address, user agent, and timestamps for sensitive admin or auth actions.
3. NIST CIA triad alignment
The CIA triad is used here as an organizing model for how the app protects member information, preserves operational records, and keeps essential member workflows available.
3.1 Confidentiality
Member information is intended for authenticated GYOCC users and authorized administrators only.
- The mobile member portal requires a valid session before profile, schedule, notification, and attendance data can be viewed.
- Administrative actions use role-based permissions, with super-admin access separated from regular permission checks.
- Notifications are scoped to the signed-in recipient, and push tokens are attached to a specific user account.
- Privacy preferences in the app control what member profile information may be shown in member views.
3.2 Integrity
Attendance, membership, and administrative records are structured to preserve accurate operational history.
- Attendance records are tied to one member and one activity, with statuses such as Pending, Present, Late, Completed, Excused, NoShow, and Absent.
- Clock-in and clock-out records store scheduled times, call times, grace minutes, lateness, and early-leave values.
- Excuse review status and admin notes are stored separately from member-submitted activity actions.
- Admin and auth actions are written to an append-only audit log model that blocks update operations.
3.3 Availability
The app is designed so members can reach schedules, reminders, and attendance tools when they need them.
- Upcoming rehearsals, gigs, and events are returned through the member portal API and displayed in the mobile app.
- Realtime notification invalidation helps devices refresh when relevant admin changes occur.
- Mobile sessions support the app's token-based flow so members can remain signed in across app launches.
- When service issues occur, the priority is restoring sign-in, schedule access, attendance actions, and notification delivery.
4. NIST Cybersecurity Framework alignment
The NIST Cybersecurity Framework functions are used as a practical structure for describing how the current app identifies data, protects access, supports detection, enables response, and prioritizes recovery.
- 4.1 Identify
GYOCC identifies the member, schedule, attendance, notification, and administrative data the app needs in order to operate the member portal.
Evidence in the app: The system models members, attendance records, notifications, roles, permissions, sessions, and audit logs as separate operational records.
- 4.2 Protect
GYOCC protects access through authentication, member-scoped APIs, role-based admin permissions, and limited use of device data for app notifications.
Evidence in the app: Protected backend routes require an authenticated session, and admin routes can require specific permission codenames.
- 4.3 Detect
GYOCC keeps records that help administrators review sensitive access and operational changes.
Evidence in the app: Admin and auth actions can be written with actor, action, resource, IP address, user agent, and timestamp details.
- 4.4 Respond
When a privacy, access, or data issue is reported, GYOCC can review the affected account, roles, member record, notifications, and audit history.
Evidence in the app: Role assignments can be revoked, sessions can be signed out, push tokens can be removed, and member records can be reviewed by authorized administrators.
- 4.5 Recover
GYOCC prioritizes restoring the features members rely on most: sign-in, schedules, attendance, reminders, and member profile access.
Evidence in the app: The app keeps operational data in backend records so service recovery can focus on restoring the member portal and admin workflows.
5. Member choices and retention
Members can manage app notification preferences, sign out of the member account, and contact GYOCC when profile, membership, or account details need to be corrected. Some records, such as attendance, schedule participation, and audit history, may need to be retained for organization operations, safety, accountability, or financial recordkeeping.
6. Contact
For privacy, account, or access questions, contact GenSan Youth Orchestra and Choir Corporation.
- Email:
- info@gyocc.org
- Phone:
- +63 908 409 1939
- Address:
- Ground Floor, Jumabo Building, #23 Kadulasan Street, General Santos City, Philippines