Authentication
- Industry-standard email + password with bcrypt-hashed passwords.
- Optional Google sign-in via OAuth 2.0.
- Sessions use signed JWTs with short-lived access tokens and rotating refresh tokens.
- Password resets require email verification.
Data isolation
Every database table has row-level security enforced at the Postgres layer. Even if an application bug bypassed our own checks, the database would refuse to return another user's data. We treat RLS as a second line of defense, not the first.
Encryption
- In transit: TLS 1.3 everywhere. HSTS preloaded.
- At rest: AES-256 on all database volumes and backups.
- Secrets: service keys live in encrypted server environments, never in client code.
Location data
We don't run background location collection. Location is captured only when you check in (optional) or trigger SOS, and shared with your circle only when needed. No third-party ad SDKs.
Backups & continuity
- Continuous point-in-time backups for the last 7 days.
- Daily snapshots retained for 30 days, geographically redundant.
- Tested recovery procedure every quarter.
Vendor security
Sub-processors (Lovable Cloud, OneSignal, Resend, Stripe) are SOC 2 / ISO 27001 certified and bound by data processing agreements.
Responsible disclosure
Found a vulnerability? Email security@checkon.appwith details and a proof-of-concept. We aim to respond within 24 hours and offer bounties for valid reports — from a thank-you to USD 5,000 for critical issues. Please don't publish until we've had a chance to fix it.
Your role
- Use a unique, strong password (or a password manager).
- Keep your email account secure — it's the recovery path.
- Review the people in your circles regularly.