Security

1. Infrastructure

LIFE is hosted on Supabase (Postgres 15+) and Render, both with SOC 2 Type II compliance. All infrastructure runs in ISO 27001-certified data centres. We do not run our own physical servers.

Database access is restricted to application-level service roles. No direct database access is available from the public internet. All infrastructure changes are version-controlled and reviewed before deployment.

2. Encryption

At rest: All database data is encrypted using AES-256. Credentials for third-party integrations (calendar providers, financial institutions, wearables) are additionally encrypted at the field level before storage — a double-encryption layer for the most sensitive data.

In transit: All data transmitted between your device and our servers uses TLS 1.3. We do not support TLS 1.0 or 1.1. HTTPS is enforced sitewide with HSTS.

Passwords: User passwords are hashed using bcrypt with a minimum cost factor of 12. We never store passwords in plaintext or reversibly encrypted form.

3. Access Control

Row-Level Security (RLS): Every table in LIFE's database has RLS policies enforced at the PostgreSQL engine level. Even if an application bug bypassed our API checks, the database itself enforces that you can only ever read or write your own records.

Principle of least privilege: Application service roles have only the permissions they need. Admin operations use a separate elevated client that never runs in user-facing code paths.

Session security: Sessions use short-lived JWT tokens with automatic rotation. Suspicious activity (multiple failed logins, new device logins) triggers email alerts.

4. Monitoring & Audit

Every INSERT, UPDATE, and DELETE operation in LIFE is logged to an append-only audit table with: timestamp, user ID, entity type, entity ID, action, and a JSON diff of changed fields. This log is immutable from application code.

We run continuous monitoring for anomalous access patterns, unexpected query volumes, and failed authentication attempts. Security alerts are routed to the engineering team 24/7.

5. Integration Security

All third-party integrations use OAuth 2.0 where available. We request the minimum necessary scopes for each integration. Access tokens are stored encrypted (AES-256 at field level) and are never logged or exposed in API responses.

You can revoke any integration at any time from the LIFE settings. Revocation is immediate — we delete the stored token and the integration ceases to function within seconds.

6. Vulnerability Disclosure

We operate a responsible disclosure programme. If you discover a security vulnerability in LIFE, please report it to [email protected].

Please include: a description of the vulnerability, steps to reproduce, potential impact, and any suggested mitigations. We commit to acknowledging reports within 24 hours, providing an initial assessment within 72 hours, and keeping you informed of our progress.

We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We do not pursue legal action against researchers who follow this policy.

7. Compliance

LIFE is designed to comply with Singapore's Personal Data Protection Act (PDPA) and, where applicable, the EU General Data Protection Regulation (GDPR). Our infrastructure providers (Supabase, Render) maintain SOC 2 Type II and ISO 27001 certifications.

We conduct internal security reviews before each major release and engage external security assessments periodically.

8. Contact

Security reports: [email protected]

General security questions: [email protected]

CENTR. Pte. Ltd., Singapore