Skip to content

Legal

Security

Our products hold the conversations of millions of people. We treat security as a permanent surface, not a release event, and we hold our own systems to the standard we would want for our own accounts.

Program

Every system we operate sits under a documented threat model that is reviewed quarterly. Major releases ship only after a security review against that model. Security ownership sits with the same senior cell that builds and runs the product, so the people accountable for a system are the people who secure it.

Encryption

Data is encrypted in transit using current TLS, and at rest using industry-standard algorithms. End-to-end encryption is available on products that opt into it and is the default on premium tiers. Keys are managed in a dedicated key management service with strict access controls.

Access control

Production access is short-lived, audited, and limited to the on-call rotation. Access requires multi-factor authentication and follows least privilege. Member data is segregated and never copied to engineer machines or to environments that are not built to hold it.

Monitoring and response

We log security-relevant events, alert on anomalies, and run a documented incident response process with defined roles and timelines. Where an incident affects personal data, we notify affected people and regulators as the applicable law requires.

Audits and assurance

We engage an external party to assess our systems on a regular cadence and after significant changes. We maintain internal controls aligned to recognized industry frameworks, and we make relevant assurance information available to partners under NDA.

Vendor security

We hold the service providers that touch our data to contractual security and privacy commitments, review their posture before we onboard them, and keep the list of categories current. See our data processing page for more.