Security

This page is maintained by the Project Alibi team to describe the security controls active in the app. It is not a certification and does not replace an independent audit. Security is a shared responsibility: we run the platform and enforce these controls; you protect your credentials and second-factor devices.

Client-side vault encryption

Vault items are encrypted on your device before upload. Ciphertext, IV, and salt are stored — the server never sees plaintext.

Two-factor authentication

Optional TOTP two-factor authentication can be enabled in Settings, enforced on every sign-in.

Row-level security

Every row in our database is scoped to its owner via row-level security policies — users can never read each other's data.

Real-time intrusion alerts

Failed biometric attempts and PIN bypasses on registered devices trigger alerts across your linked devices.

Reporting a vulnerability

If you believe you've found a security issue, please contact us through the support channel in your account settings. Do not exploit or share the issue publicly before we've had a chance to respond.