Security

Last Updated: November 30, 2025

Our Security Commitment

At TimOS, security is not an afterthought - it's foundational to our architecture. We are a compliance company first, and we build products that reflect enterprise-grade security practices from the ground up.

Encryption Architecture

Envelope Encryption

All user content is protected using a two-layer envelope encryption scheme:

  • Master Encryption Key (MEK): AES-256-GCM key stored in a secure key vault
  • Data Encryption Key (DEK): Per-user key encrypted by the MEK
  • Content Encryption: User data encrypted with their unique DEK

Crypto-Shredding

When you delete your account, your DEK is permanently destroyed. Without the key, your encrypted data becomes cryptographically unrecoverable - even by us.

Authentication Security

  • Multi-Factor Authentication: TOTP-based MFA required for all accounts
  • Secure Password Storage: Passwords hashed with bcrypt (cost factor 12)
  • Brute Force Protection: Account lockout after failed attempts
  • Device Trust: Trusted device management with fingerprinting
  • Session Security: HttpOnly cookies with CSRF protection

Infrastructure Security

  • TLS Everywhere: All connections encrypted with TLS 1.3
  • Rate Limiting: Protection against abuse and DDoS
  • Input Validation: Strict validation using Zod schemas
  • Request Size Limits: Protection against payload attacks
  • Security Headers: HSTS, CSP, X-Frame-Options, etc.

Data Protection

  • Dual Database Architecture: Separation of platform and vault data
  • Encrypted Backups: All backups are encrypted at rest
  • Audit Logging: Comprehensive logging of security events
  • Data Residency: Options for data location requirements

Vulnerability Disclosure

We welcome responsible security research. If you discover a vulnerability:

How to Report

  • Email: security@timos.app
  • Please include detailed steps to reproduce the issue
  • Allow us reasonable time to respond and fix the issue
  • Do not publicly disclose until we've addressed it

What We Promise

  • Acknowledge receipt within 48 hours
  • Provide regular updates on our progress
  • Credit you in our security acknowledgments (if desired)
  • Not take legal action against good-faith researchers

Scope

In-scope:

  • timos.app and all subdomains
  • TimOS API endpoints
  • Mobile applications

Out of scope:

  • Social engineering attacks
  • Physical attacks on our infrastructure
  • Denial of service attacks
  • Third-party services we use

Compliance

TimOS is designed to support compliance with:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • SOC 2 Type II (in progress)
  • HIPAA (for healthcare customers with BAA)

Contact

For security-related inquiries: security@timos.app