Detailed Security Statement

Last Updated: February 21, 2026

3.1 Network and Transport Security

End-to-End Encryption: All traffic between our mobile clients and the centralized server is forced over HTTPS using TLS 1.3 protocols with strong cipher suites.

API Security: Our RESTful API utilizes JSON Web Tokens (JWT) for stateless authentication, ensuring that every request is validated against a secure user session.

3.2 Application and Data Security

Database Isolation: We employ a client-server architecture where the database is not directly accessible from the public internet. All queries must pass through a secured API layer.

Hashing Standards: We use the Argon2 or BCrypt hashing algorithms for password storage, ensuring that even in the event of a data leak, raw passwords remain unreadable.

Injection Prevention: We utilize Parameterized Queries and Object-Relational Mapping (ORM) to eliminate the risk of SQL Injection.

3.3 Mobile-Specific Protections (Android)

Code Obfuscation: We utilize R8/ProGuard to shrink and obfuscate our Kotlin code, making it significantly harder for malicious actors to reverse-engineer our logic.

Secure Storage: Sensitive session tokens are stored in the Android Keystore System, which provides hardware-backed security for cryptographic keys.