Privacy and Security Documentation

GYOCC Official Member Portal

This page explains how GYOCC Official handles member data and how the app's safeguards align with the NIST Confidentiality, Integrity, and Availability triad and the NIST Cybersecurity Framework functions: Identify, Protect, Detect, Respond, and Recover.

This is a public privacy and security statement for the app. It describes the current application behavior and security approach; it is not a claim of formal NIST certification.

App
GYOCC Official
Audience
Registered GYOCC members and authorized administrators
Primary data use
Membership, schedules, attendance, reminders, alerts, and administrative operations
Last updated
July 1, 2026

1. Scope and app behavior

GYOCC Official is a member portal for GYOCC operations. It is not a public social network, marketplace, or open registration system. The app supports the day-to-day workflows members and authorized staff need for membership, rehearsal, event, attendance, notification, and administrative coordination.

  • Members sign in with email/password or Google authentication.
  • Members can view their profile, membership details, schedules, attendance history, reminders, alerts, and earnings information.
  • Members can RSVP, clock in, clock out where required, and submit attendance-related information for assigned activities.
  • Administrators manage membership, rehearsals, gigs, events, roles, permissions, notifications, reports, equipment, expenses, lessons, and stipends through authenticated tools.
  • The app is intended for registered GYOCC members and authorized organization administrators, not for general public account creation.

2. Data handled by the app

GYOCC Official uses information needed to run the member portal, support attendance workflows, deliver reminders, and let authorized staff administer organization records.

  • Account identity, such as name, email address, profile photo, email verification status, and sign-in session state.
  • Member profile details, such as section, rank, level, voice part or instrument, membership status, join date, and optional phone number.
  • Choir, orchestra, and event activity data, including rehearsals, gigs, events, RSVP status, roles, venues, attendance, clock-in and clock-out times, lateness, early leave records, and excuse review status.
  • Member portal records, including attendance history, upcoming schedules, earnings or stipend summaries, and reminder preferences.
  • Notification data, including in-app notifications, read status, Expo push tokens, platform, device identifier, and last-seen timestamps used to deliver alerts.
  • Administrative and security records, including role assignments, permission checks, audit log entries, IP address, user agent, and timestamps for sensitive admin or auth actions.

3. NIST CIA triad alignment

The CIA triad is used here as an organizing model for how the app protects member information, preserves operational records, and keeps essential member workflows available.

3.1 Confidentiality

Member information is intended for authenticated GYOCC users and authorized administrators only.

  • The mobile member portal requires a valid session before profile, schedule, notification, and attendance data can be viewed.
  • Administrative actions use role-based permissions, with super-admin access separated from regular permission checks.
  • Notifications are scoped to the signed-in recipient, and push tokens are attached to a specific user account.
  • Privacy preferences in the app control what member profile information may be shown in member views.

3.2 Integrity

Attendance, membership, and administrative records are structured to preserve accurate operational history.

  • Attendance records are tied to one member and one activity, with statuses such as Pending, Present, Late, Completed, Excused, NoShow, and Absent.
  • Clock-in and clock-out records store scheduled times, call times, grace minutes, lateness, and early-leave values.
  • Excuse review status and admin notes are stored separately from member-submitted activity actions.
  • Admin and auth actions are written to an append-only audit log model that blocks update operations.

3.3 Availability

The app is designed so members can reach schedules, reminders, and attendance tools when they need them.

  • Upcoming rehearsals, gigs, and events are returned through the member portal API and displayed in the mobile app.
  • Realtime notification invalidation helps devices refresh when relevant admin changes occur.
  • Mobile sessions support the app's token-based flow so members can remain signed in across app launches.
  • When service issues occur, the priority is restoring sign-in, schedule access, attendance actions, and notification delivery.

4. NIST Cybersecurity Framework alignment

The NIST Cybersecurity Framework functions are used as a practical structure for describing how the current app identifies data, protects access, supports detection, enables response, and prioritizes recovery.

4.1 Identify

GYOCC identifies the member, schedule, attendance, notification, and administrative data the app needs in order to operate the member portal.

Evidence in the app: The system models members, attendance records, notifications, roles, permissions, sessions, and audit logs as separate operational records.

4.2 Protect

GYOCC protects access through authentication, member-scoped APIs, role-based admin permissions, and limited use of device data for app notifications.

Evidence in the app: Protected backend routes require an authenticated session, and admin routes can require specific permission codenames.

4.3 Detect

GYOCC keeps records that help administrators review sensitive access and operational changes.

Evidence in the app: Admin and auth actions can be written with actor, action, resource, IP address, user agent, and timestamp details.

4.4 Respond

When a privacy, access, or data issue is reported, GYOCC can review the affected account, roles, member record, notifications, and audit history.

Evidence in the app: Role assignments can be revoked, sessions can be signed out, push tokens can be removed, and member records can be reviewed by authorized administrators.

4.5 Recover

GYOCC prioritizes restoring the features members rely on most: sign-in, schedules, attendance, reminders, and member profile access.

Evidence in the app: The app keeps operational data in backend records so service recovery can focus on restoring the member portal and admin workflows.

5. Member choices and retention

Members can manage app notification preferences, sign out of the member account, and contact GYOCC when profile, membership, or account details need to be corrected. Some records, such as attendance, schedule participation, and audit history, may need to be retained for organization operations, safety, accountability, or financial recordkeeping.

6. Contact

For privacy, account, or access questions, contact GenSan Youth Orchestra and Choir Corporation.

Address:
Ground Floor, Jumabo Building, #23 Kadulasan Street, General Santos City, Philippines