🔒 Security Practices

Our Commitment to Security

At 24/7 Life Events, security isn't an afterthought—it's the foundation of everything we build. We understand that you're trusting us with sensitive personal information, and we take that responsibility seriously.

Encryption

Data at Rest

All data stored in our database is encrypted using AES-256 encryption, the same standard used by banks and government agencies. This means:

• Your life events and notes are encrypted before being written to disk
• Uploaded documents are encrypted with unique keys
• Database backups are also encrypted
• Even if our database were compromised, the data would be unreadable without your password

Data in Transit

All communication between your device and our servers uses TLS 1.3 encryption:

• Every page, every API call, every file upload is encrypted
• We enforce HTTPS across the entire application
• HTTP connections are automatically redirected to HTTPS
• We use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks

Password Security

Your password is never stored in plain text. We use bcrypt hashing with:

• High iteration counts (cost factor of 12)
• Unique salts for each password
• One-way hashing (we can verify but never recover your password)
• Automatic rehashing when you sign in (if security standards improve)

Infrastructure

Hosting & Data Centers

We use Supabase for our infrastructure, which provides:

• SOC 2 Type II Certified infrastructure
• Enterprise-grade data centers with 24/7 physical security
• Automated backups with point-in-time recovery
• Geographic redundancy across multiple availability zones
• 99.9% uptime SLA

Application Security

Our application follows security best practices:

• Row Level Security (RLS): Database-level access control ensures users can only access their own data
• SQL Injection Protection: Parameterized queries prevent SQL injection attacks
• XSS Protection: Input sanitization and output encoding prevent cross-site scripting
• CSRF Protection: Token-based protection against cross-site request forgery
• Rate Limiting: Protection against brute force and DDoS attacks

File Upload Security

When you upload documents (passports, insurance cards, etc.), we:

• Validate file types and reject executables (.exe, .sh, .bat, etc.)
• Scan file contents to detect renamed malicious files
• Limit file sizes to 10MB per file
• Store files with unique, unpredictable names
• Encrypt files before storing them
• Use signed URLs for secure, time-limited access
• Automatically delete files when you delete your account

Privacy & Data Handling

What We Collect

We collect only what's necessary to provide the service:

• Email address (for authentication and reminders)
• Life events you create (encrypted)
• Documents you upload (encrypted)
• Basic usage analytics (page views, feature usage)

What We DON'T Collect

• No browsing history or cookies for tracking
• No third-party analytics scripts (Google Analytics, Facebook Pixel, etc.)
• No selling or sharing data with advertisers
• No data mining or profiling

Data Retention

• Your data is retained as long as your account is active
• When you delete your account, all data is permanently removed within 30 days
• We don't keep "soft deletes" or hidden backups
• You can export your data anytime before deletion

Compliance

GDPR General Data Protection Regulation

We comply with GDPR requirements:

• Right to Access: Export your data anytime from settings
• Right to Deletion: Permanently delete your account and all data
• Right to Portability: Download your data in JSON format
• Right to Rectification: Edit your data anytime
• Data Minimization: We collect only what's necessary
• Purpose Limitation: Data is used only for the stated purpose

CCPA California Consumer Privacy Act

California residents have additional rights:

• Know what personal information we collect
• Know whether we sell or share personal information (we don't)
• Opt-out of data sales (not applicable—we don't sell data)
• Request deletion of personal information
• Non-discrimination for exercising privacy rights

Incident Response

In the unlikely event of a security incident:

• We'll notify affected users within 72 hours
• We'll provide clear information about what happened
• We'll explain what data was affected
• We'll detail the steps we're taking to prevent future incidents
• We'll offer credit monitoring if sensitive data was exposed

Continuous Improvement

Security is an ongoing process. We:

• Regularly update dependencies to patch vulnerabilities
• Monitor security advisories for our infrastructure providers
• Conduct security reviews of new features before deployment
• Implement automated security scanning in our development pipeline
• Welcome responsible disclosure from security researchers

Questions?

If you have questions about our security practices, please contact us at hello@247lifeevents.com