Security isn't a feature. It's the foundation of everything we build.
Data at rest uses AES-256 via the device's secure enclave (iOS Secure Enclave / Android KeyStore). Data in transit uses TLS 1.3 with ECDHE key exchange. Cloud backups are encrypted on-device before transmission — keys are derived on your device and never transmitted to us or any third party.
We cannot decrypt your data. We do not have master keys. Even under legal compulsion, we cannot provide access to data we have no ability to decrypt. Passwords are stored with bcrypt using strong parameters. API authentication uses OAuth 2.0 with PKCE.
Please disclose security vulnerabilities responsibly via our contact form (select 'Bug or security report'). Include a description, reproduction steps, affected versions, and your contact details. We acknowledge within 48 hours and aim to fix issues within 90 days. We credit researchers who report responsibly and never pursue legal action for responsible disclosure.
We follow the NIST Cybersecurity Framework, CWE Top 25, OWASP Top 10, and applicable EU regulations including GDPR. All code changes are peer-reviewed. We run automated security scanning on every commit.
Network eavesdropping (TLS 1.3), server compromise (encrypted data at rest, no plaintext stored), application exploits (input validation, secure coding), insider threats (architecture prevents staff access to user data), third-party breaches (data minimisation and anonymisation). No system is 100% secure — device-level compromise or physical theft with no device lock remain partial mitigations.
Security questions and vulnerability reports: use our contact form and select 'Bug or security report'.
To report a vulnerability or ask a security question, use our contact form — we respond within 48 hours.