General principles
Security is considered during product design and engineering. Specific controls depend on the app use case, data sensitivity, account model, infrastructure, and platform features.
Secure defaults
We prefer platform best practices for authentication and storage, limit access to what the app actually needs, use secure encrypted channels for data in transit, and keep dependencies and platforms current.
Sensitive apps
Apps handling sensitive data or regulated workflows require additional discovery, security requirements, documented assumptions, and implementation choices aligned to the risk profile.
Access and operations
Operational access should be limited, controlled, and appropriate to the support model agreed for the product. More complex apps may need additional monitoring, support terms, and escalation expectations.
Responsible disclosure
Security concerns should be reported through the support or contact channel with enough detail to reproduce and assess the issue. Please avoid accessing, modifying, or exposing data that is not yours.