Trust

Security

Conflict resolution requires a high-trust environment. Here's how we protect yours.

Encryption in transit

All communication between the app, backend API, and AI providers is encrypted with TLS 1.3. Certificate pinning is enforced in the mobile clients.

Encryption at rest

Session responses and resolution documents are encrypted at rest using AES-256. Database backups are encrypted before leaving our infrastructure.

Access control

Production access requires multi-factor authentication and is restricted to a small set of engineers with a documented need. Access is reviewed quarterly.

Payment security

Payments are handled by Stripe, a PCI DSS Level 1 certified provider. FactCircles never touches or stores raw card data.

Incident response

We maintain a documented incident response plan. In the event of a breach affecting personal data we notify affected users within 72 hours, consistent with GDPR obligations.

Vulnerability disclosure

Found a security issue? Please email security@factcircles.app. We respond within 5 business days and follow responsible disclosure practices.

AI provider security (Grok / xAI)

Session content is sent to xAI's Grok API over TLS. xAI processes this data as a data sub-processor under a data processing agreement with appropriate security guarantees. Responses from the API are not stored by xAI for training purposes under our agreement.

Backend infrastructure

The FactCircles backend is deployed on isolated cloud infrastructure with network-level segmentation between services. The database is not publicly accessible — it is only reachable from the application layer within a private VPC. Secrets are managed via a secrets management service and rotated regularly.

Mobile app security

The iOS and Android apps are distributed exclusively through the App Store and Google Play. Authentication tokens are stored in the platform's secure enclave (Keychain on iOS, Keystore on Android). The apps do not log sensitive content to local storage.

Session privacy

Session content is only accessible to participants of that session and authorised FactCircles engineers for support purposes. Participants cannot view each other's responses until the facilitator has processed them — responses are submitted blind to prevent anchoring bias.

Report a vulnerability

We welcome responsible disclosure. Email security@factcircles.app with details. Please do not publicly disclose vulnerabilities until we've had a chance to remediate. We do not take legal action against researchers acting in good faith.