Back to home

Security

How we protect your data and how to report a vulnerability.

Last updated: April 2026

How we protect your data

Transport security

All communication between the app and our servers uses TLS 1.2 or higher. Certificate pinning is enforced on mobile clients.

Password storage

Passwords are never stored in plaintext. We use bcrypt with a per-user salt before any password reaches our database.

Infrastructure

Our API runs on Cloudflare Workers — a globally distributed, isolated edge runtime. There are no long-lived servers to patch; each request runs in a fresh, isolated context. DDoS mitigation and WAF filtering are provided at the network layer by Cloudflare.

Local-first scanning

Network scans run entirely on your device. Raw network data is never transmitted to our servers. Only structured, anonymised summaries are sent when you explicitly opt into cloud backup.

Access control

Production systems follow the principle of least privilege. Admin access requires a strong secret token in addition to infrastructure-level access controls. No developer has access to plaintext user credentials.

Vulnerability disclosure

We take security seriously. If you discover a vulnerability in Santinela — the app, API, or website — please report it responsibly before making it public.

How to report

Email security@santinela.app with:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce or a proof-of-concept
  • Your contact details (optional, for follow-up)

What to expect

  • Acknowledgement within 3 business days
  • Status update within 10 business days
  • Fix and disclosure timeline agreed with you for significant issues

Scope

In scope: the Santinela mobile app (iOS, Android), desktop app (macOS, Windows), API (api.santinela.app), and this website (santinela.app).

Out of scope: volumetric DoS attacks, social engineering of staff, physical attacks, issues in third-party dependencies already reported upstream.

Safe harbour

We will not pursue legal action against researchers who report vulnerabilities in good faith, avoid accessing or modifying user data, and give us reasonable time to remediate before public disclosure.

Bug bounty

We do not currently operate a formal paid bug bounty programme. We acknowledge every valid report publicly (with your permission) and plan to introduce rewards as the project matures.