Trust Center

Security practices

A summary of the technical and operational controls in place today. This describes app-visible behavior — it is not a third-party audit and does not imply certification under any specific framework.

Encryption

  • In transit: all traffic to the app and its APIs is served over HTTPS with modern TLS. Non-TLS requests are redirected.
  • At rest: application data (accounts, assessments, roadmap progress) is stored in our managed backend provider's database and encrypted at rest by that provider.
  • Secrets (API keys, provider credentials) are stored in a managed secret store and are never committed to source control.

Authentication & access

  • Sign-in supports email + password and Google. Passwords are hashed by the backend provider — we never see or store your password.
  • Sessions use short-lived access tokens with refresh rotation, delivered over HTTPS-only channels.
  • You can change your password or sign out of all devices from your account settings.

Data separation

Every table that stores user data has row-level security enabled at the database layer. Policies restrict reads and writes to the authenticated owner of each record, so one user's account, answers, or roadmap cannot be accessed by another. Administrative access is separated behind a role check.

Application security

  • Input from the browser is validated on the server before it reaches the database.
  • Dependencies are updated regularly and scanned for known vulnerabilities.
  • Production deployments run on a managed, sandboxed serverless runtime.

Incident response

If we confirm a security incident affecting your data, we will notify affected users by email at the address on their account with what happened, what data was involved, and what steps we took. Notifications are sent without undue delay after confirmation.

To report a suspected vulnerability or active incident, email hello@freedomscoreapp.com. Include a clear description and, where safe, reproduction steps. Please practice responsible disclosure and do not access accounts that are not yours.

What we don't claim

We don't claim certification under SOC 2, ISO 27001, HIPAA, PCI, or similar frameworks. If your organization needs a specific certification or contractual commitment, please reach out before relying on the product for regulated data.

Related

This page is maintained by the Freedom Score App team to answer common trust, security, and privacy questions about the product. It describes practices and platform features in effect today — it is not an independent certification or audit. Have a concern or a report? hello@freedomscoreapp.com.

Built to be trusted

Trust Center →
  • Encrypted end-to-end

    TLS in transit, encrypted at rest on managed infrastructure.

  • Row-level security

    Your data is scoped to your account at the database layer.

  • AI you can audit

    Guidance is educational, cites your inputs, and is never advice.

  • Your data, your control

    Export or delete your account and answers at any time.