Security

Security is a release gate, not a footer claim.

Unleft uses layered controls, verification, and rollback to protect private user content while being honest about limits.

Security standard: Unleft uses the OWASP Mobile Application Security Verification Standard and platform guidance as a verification baseline. This is not a certification or a promise that risk can be eliminated.

1. Security approach

Unleft treats saved cards, screenshots, photos, papers, and voice notes as private user content. Security work focuses on account isolation, secure session handling, least-privilege cloud access, safe local storage, tested deletion, and reliable recovery.

2. Authentication and sessions

Email one-time codes and Sign in with Apple may be used for account access. Session credentials are stored using encrypted native secure storage on supported devices. Users should protect access to their email account, Apple account, and device passcode.

3. Local data and account isolation

Before public launch, local databases and managed attachments must be scoped to the authenticated account so that signing out or switching accounts cannot reveal another account’s content. Migration, rollback, and count verification are required before existing data is moved.

4. Cloud controls

Authenticated cloud data uses per-user database and storage access rules. Administrative credentials and private signing keys are never placed in the mobile app. Network communication uses encrypted transport provided by the platform and service providers.

5. Development controls

  • Secrets scanning and environment separation
  • Dependency and privacy-manifest review
  • Database and row-level security tests
  • Account-switch and destructive-restore tests
  • Build, source, and artifact checkpoints with rollback
  • Production logs designed to avoid private card content

6. Vulnerability reporting

Good-faith security reports can be sent to hello@unleft.app. Include the affected feature, steps to reproduce, impact, and a safe contact method. Do not access another person’s data, disrupt the service, or publicly disclose an unpatched issue.

7. Incident response

Confirmed incidents are triaged by severity, contained, investigated, documented, and communicated when required by law or necessary to protect users. Credentials may be revoked and affected features may be disabled during containment.

8. Limits

No system can guarantee absolute security. Unleft should not be the only record for emergency, medical, legal, financial, or safety-critical obligations.

Last updated: June 30, 2026