Security

Last updated: March 27, 2026

1. Data Encryption

We protect your data using multiple layers of encryption:

• In Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security)
• At Rest: Your documents and personal information are encrypted using AES-256 encryption when stored
• Passwords: User passwords are hashed using bcrypt with a work factor of 12, never stored in plain text

2. Authentication Security

We implement robust authentication measures:

• Secure session management with HTTP-only cookies
• Automatic session timeout after inactivity
• Rate limiting to prevent brute force attacks
• Account lockout after multiple failed login attempts
• Email verification for new accounts

3. Infrastructure Security

Our infrastructure is protected by:

• Regular security patches and updates
• Firewalls and intrusion detection systems
• DDoS protection and mitigation
• 24/7 monitoring by security teams
• Regular penetration testing and vulnerability assessments

4. Secure Development Practices

We follow secure coding practices:

• Code reviews before deployment
• Automated security scanning in CI/CD pipeline
• Dependency vulnerability monitoring
• Regular security training for developers
• Bug bounty program for responsible disclosure

5. Data Protection

We protect your personal information through:

• Strict access controls and need-to-know basis for staff
• Regular data backups with encryption
• Data minimization practices
• Secure deletion protocols
• Compliance with GDPR and other privacy regulations

6. User Security Best Practices

7. File Upload Security

When you upload files, we implement additional security measures:

• File type validation (only allowed formats)
• File size limits to prevent denial-of-service attacks
• Malware scanning for uploaded content
• Sandboxed processing environment
• Automatic removal of executable content

8. Third-Party Security

We carefully vet all third-party services and libraries:

• Regular security audits of third-party dependencies
• Only trusted, open-source libraries with active maintenance
• Content Security Policy (CSP) to prevent XSS attacks
• Subresource Integrity (SRI) for CDN resources

9. Incident Response

We have a comprehensive incident response plan:

• 24/7 security monitoring and alerting
• Immediate containment procedures
• User notification within 72 hours if data breach occurs
• Post-incident analysis and improvements
• Regular incident response drills

10. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

• Email: security@callimachus.app
• PGP Key: Available upon request
• Please provide detailed steps to reproduce
• Allow 72 hours for initial response
• We offer recognition in our security hall of fame

11. Security Certifications

We maintain compliance with:

• ISO 27001 (Information Security Management)
• GDPR (General Data Protection Regulation)
• CCPA (California Consumer Privacy Act)
• PCI DSS (Payment Card Industry) - where applicable

12. Regular Security Audits

Our security program includes:

• Quarterly internal security assessments
• Annual third-party penetration testing
• Continuous vulnerability scanning
• Security awareness training for all employees