We Take Security Seriously

We're a small team building something people trust with their identity and personal info. That's heavy. So we don't mess around with security. Not because we're scared of lawsuits (well, partly), but because getting hacked would literally kill the company and screw over everyone using the app.

Encryption (The Boring but Important Part)

Everything you send to us travels through an encrypted tunnel (TLS 1.3). If someone intercepts your internet traffic, they see gibberish, not your data. Even your ISP can't read it.

Data sitting in our database is encrypted at rest with AES-256. That's military-grade encryption. If someone physically steals our hard drives, they can't read anything without the decryption key (which lives somewhere else).

Voice prompts? Encrypted end-to-end. Your voice never travels unencrypted. We literally can't listen to them even if we wanted to.

Passwords (How We Don't Store Them)

We never store your actual password. We run it through bcrypt with salt, which turns it into an irreversible hash. If someone steals our database, they get useless strings of characters.

Identity verification happens through Singpass. Singapore's government confirms you're you. We don't guess, we don't maintain a password database—Singpass does the heavy lifting.

When you log in, you get a session token that expires automatically. Sensitive actions (like changing your email or deleting your account) require you to authenticate again.

The API (How We Stop Attackers)

Too many failed login attempts? Your account locks automatically. This stops brute-force attacks where someone runs millions of password guesses.

Every piece of data you send gets validated before we do anything with it. Malicious code can't sneak in. We also use CSRF tokens to stop attackers from tricking you into doing things you don't want to do.

Only our apps and websites can talk to our API. Random sites can't make requests pretending to be you. We're strict about this.

Payment Stuff (We Don't Actually Handle It)

Credit card numbers go straight to Stripe or PayPal. We never see them. These companies are PCI-DSS certified, which means they've been audited up the wazoo for security. They're way better at handling payments than we'd ever be.

We see transaction records and subscription status. That's it. We don't have access to card numbers, expiration dates, or CVV codes.

Access Control (Not Everyone on Our Team Sees Everything)

If you come to us with a support issue, the support person can see your account info. They can't see your password or payment details. Our engineering team can access databases for debugging, but we rotate who has access and log what they look at.

Nobody's casually poking around your data. It's locked down.

Backups & Disaster Recovery

We back up data daily to secure, geographically separate locations. If our main servers catch fire tomorrow, we can recover everything from a backup.

When you delete your account, we purge all data within 90 days. It's gone from backups too (we only keep recent backups anyway).

Monitoring (We're Watching for Trouble)

We monitor login patterns 24/7. Weird spike in logins from Russia? Automated system flags it. Someone trying to download your entire profile? We catch it. Unusual API activity? We see it.

If we detect something suspicious, we respond immediately. We don't wait around hoping it's nothing.

What You Need to Do

Use a password that's not "password123." Mix up uppercase, lowercase, numbers, and symbols. We enforce this—you can't set a weak password.

Don't share your login with anyone. Ever. Not even your partner. We won't ask for your password via email or chat. If someone asks, it's not us.

Keep your phone updated. That's where the app lives—if your device is compromised, we can't protect you.

See something weird? An unexpected email, a login you didn't make, anything that doesn't smell right? Tell us immediately at security@bondingbowls.com. We'll investigate.

Security Vulnerabilities (Responsible Disclosure)

Found a security hole? Tell us before you tell anyone else. Email security@bondingbowls.com with details. Include what you found, how you found it, and why it matters.

We'll acknowledge within 24 hours, work on a fix, and credit you (if you want). We won't sue you. We won't ban you. We appreciate people who find problems responsibly so we can fix them.