Trust Center
Security practices
A summary of the technical and operational controls in place today. This describes app-visible behavior — it is not a third-party audit and does not imply certification under any specific framework.
Encryption
- In transit: all traffic to the app and its APIs is served over HTTPS with modern TLS. Non-TLS requests are redirected.
- At rest: application data (accounts, assessments, roadmap progress) is stored in our managed backend provider's database and encrypted at rest by that provider.
- Secrets (API keys, provider credentials) are stored in a managed secret store and are never committed to source control.
Authentication & access
- Sign-in supports email + password and Google. Passwords are hashed by the backend provider — we never see or store your password.
- Sessions use short-lived access tokens with refresh rotation, delivered over HTTPS-only channels.
- You can change your password or sign out of all devices from your account settings.
Data separation
Every table that stores user data has row-level security enabled at the database layer. Policies restrict reads and writes to the authenticated owner of each record, so one user's account, answers, or roadmap cannot be accessed by another. Administrative access is separated behind a role check.
Application security
- Input from the browser is validated on the server before it reaches the database.
- Dependencies are updated regularly and scanned for known vulnerabilities.
- Production deployments run on a managed, sandboxed serverless runtime.
Incident response
If we confirm a security incident affecting your data, we will notify affected users by email at the address on their account with what happened, what data was involved, and what steps we took. Notifications are sent without undue delay after confirmation.
To report a suspected vulnerability or active incident, email hello@freedomscoreapp.com. Include a clear description and, where safe, reproduction steps. Please practice responsible disclosure and do not access accounts that are not yours.
What we don't claim
We don't claim certification under SOC 2, ISO 27001, HIPAA, PCI, or similar frameworks. If your organization needs a specific certification or contractual commitment, please reach out before relying on the product for regulated data.
Related
See our privacy notice and Trust Center overview.
Built to be trusted
Trust Center →Encrypted end-to-end
TLS in transit, encrypted at rest on managed infrastructure.
Row-level security
Your data is scoped to your account at the database layer.
AI you can audit
Guidance is educational, cites your inputs, and is never advice.
Your data, your control
Export or delete your account and answers at any time.
