Security

Overview

We follow a defence-in-depth approach: secure-by-default configuration, least-privilege access, and layered protections across the app, API and infrastructure.

Authentication & sessions

• Passwords are hashed with Argon2id, a modern memory-hard algorithm — never stored in plain text.
• Login uses short-lived access tokens with refresh-token rotation, so sessions can be revoked.
• One-time passcodes (OTP) support mobile sign-in, with attempt limits and expiry.
• You can review active devices/sessions, and deleting your account revokes them all.

Encryption

• All traffic between apps and our servers is encrypted in transit using TLS.
• On mobile, authentication tokens are kept in the device's secure storage (iOS Keychain / Android Keystore).
• Uploaded media is stored in access-controlled object storage; backups are encrypted.

Access control & multi-tenant isolation

• Role-based access control (admin, supervisor, guard) governs what each user can see and do.
• Each organisation's data is logically isolated by Workspace (tenant) to prevent cross-tenant access.
• Server-side authorization checks run on every request — the client is never trusted for access decisions.
• Audit logging records key actions (with timestamps and source IP) for accountability.

Platform & API hardening

• Strict input validation and allow-listing reject malformed or unexpected data.
• Rate limiting protects sensitive endpoints (such as login, export and account deletion) from abuse.
• A strict CORS allow-list governs which web origins may call the API; wildcards are never used.
• Dependencies are kept up to date, and secrets are managed outside source code.

Your part in security

Security is shared. Use a strong, unique password, enable device security, keep the app updated, and never share credentials or one-time codes. Review our Acceptable Use Policy for more.

Report a vulnerability