Security Overview

Security is not a feature we added after the fact. It is a foundational requirement that shapes how we build, deploy, and operate our products.

This page describes our practices in plain terms. If you need a formal security assessment, contact security@svair.org.

Infrastructure

Our products run on enterprise-grade cloud infrastructure in data centres that are physically secured and audited regularly. We do not operate our own hardware. We use providers with established security certifications and strong track records.

Our systems are isolated by product and by customer type. We use separate environments for development, staging, and production. Access between environments is restricted and logged.

Encryption

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256. Encryption keys are managed separately from the data they protect and rotated regularly.

For Ciphr, our encrypted notes product, encryption happens before data leaves your device. We cannot read your Ciphr data even if compelled to.

Employee access

Access to customer data is restricted to employees who need it to perform their role. We use role-based access controls, review permissions quarterly, and revoke access immediately when someone leaves the company.

We log all internal access to customer data. Employees are trained on security practices as part of onboarding and annually thereafter.

Authentication

We support two-factor authentication for all accounts and strongly encourage its use. Passwords are stored using a modern, salted hashing algorithm — we cannot retrieve your password, only reset it.

We monitor login activity for suspicious patterns and may lock accounts and notify users if anomalous activity is detected.

Incident response

We maintain a documented incident response plan. In the event of a security breach affecting customer data, we will:

• Investigate and contain the incident promptly
• Notify affected users within seventy-two hours of confirming a breach
• Explain what happened, what data was affected, and what steps we are taking
• Report to relevant authorities where required by law

Reporting a vulnerability

If you discover a security vulnerability in any Svair product, please report it to security@svair.org before disclosing it publicly. We will acknowledge receipt within twenty-four hours, investigate promptly, and keep you informed of our progress.

We do not pursue legal action against security researchers who act in good faith. We ask only that you give us a reasonable amount of time to address the issue before publishing.

We currently offer acknowledgement to researchers who responsibly disclose valid vulnerabilities. We are building toward a formal bug bounty programme.