Security
This page is maintained by the Project Alibi team to describe the security controls active in the app. It is not a certification and does not replace an independent audit. Security is a shared responsibility: we run the platform and enforce these controls; you protect your credentials and second-factor devices.
Client-side vault encryption
Vault items are encrypted on your device before upload. Ciphertext, IV, and salt are stored — the server never sees plaintext.
Two-factor authentication
Optional TOTP two-factor authentication can be enabled in Settings, enforced on every sign-in.
Row-level security
Every row in our database is scoped to its owner via row-level security policies — users can never read each other's data.
Real-time intrusion alerts
Failed biometric attempts and PIN bypasses on registered devices trigger alerts across your linked devices.
Reporting a vulnerability
If you believe you've found a security issue, please contact us through the support channel in your account settings. Do not exploit or share the issue publicly before we've had a chance to respond.