Security

Your trust is our top priority. Learn how we protect your data.

AES-256 Encryption Secure Storage HTTPS/TLS GDPR Compliant

1. Data Encryption

All data is encrypted both in transit and at rest:

  • In Transit: All API communications use TLS 1.3 encryption
  • At Rest: Sensitive data is encrypted using AES-256
  • Database: PostgreSQL with encrypted storage
  • Backups: All backups are encrypted

2. Authentication & Access Control

  • JWT Tokens: Secure, stateless authentication with short-lived access tokens (15 minutes) and refresh tokens (7 days)
  • Secure Storage:
    • iOS: Keychain Services (hardware-backed when available)
    • Android: EncryptedSharedPreferences with Android Keystore
    • Web: httpOnly, Secure cookies
  • Password Requirements: Minimum 8 characters with uppercase, lowercase, and number requirements
  • Rate Limiting: Prevents brute force attacks

3. Infrastructure Security

  • Cloud Infrastructure: Hosted on secure VPS with regular security patches
  • Firewall: Nginx reverse proxy with security headers
  • Network Security: Isolated Docker networks, no public database access
  • Monitoring: System monitoring and logging

4. Application Security

  • Input Validation: All inputs validated and sanitized
  • SQL Injection Protection: Django ORM prevents SQL injection
  • XSS Protection: Django's CSRF protection and auto-escaping
  • Dependency Scanning: Regular updates of dependencies
  • Security Headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options

5. Privacy by Design

  • Data Minimization: We collect only what's necessary
  • No Third-Party Tracking: We don't sell or share your data with advertisers
  • User Control: Delete your account and data anytime
  • GDPR/CCPA Compliance: Respects international privacy regulations

6. Card Security

  • Password Protection: Optional password protection for sensitive cards (SHA-256 hashing)
  • Deep Linking: Secure URL validation and card ID verification
  • Analytics Privacy: IP addresses are hashed, no PII in analytics
  • Content Safety: Automated content scanning (future feature)

7. Third-Party Integrations

We partner with trusted services:

  • Thailate: Chat functionality - secure messaging platform
  • Theemail.host: Calendar scheduling - secure booking platform
  • Cloudflare: CDN and DDoS protection for web assets

All integrations use secure API connections with proper authentication.

8. Incident Response

In the event of a security incident:

  • Detection: Continuous monitoring for unusual activity
  • Response: Immediate investigation and containment
  • Notification: Affected users notified within 72 hours
  • Remediation: Root cause analysis and security patches

9. Reporting Security Issues

We take security seriously. If you discover a vulnerability, please report it responsibly:

Email: security@blankcard.app

We commit to acknowledging reports within 24 hours and keeping you informed throughout the resolution process.

10. Compliance

  • GDPR: Compliant with General Data Protection Regulation (EU)
  • CCPA: Compliant with California Consumer Privacy Act
  • SOC 2: In progress (target: Q3 2024)
  • HIPAA: Available for enterprise customers (contact for details)

11. Questions About Security

For security-related questions or concerns:

Email: security@blankcard.app

Documentation: See our Privacy Policy for more details