Trust
Security
How we protect your data — and how to report a vulnerability if you find one.
The practices below describe our intended baseline and will evolve as we build. Confirm specifics before relying on them.
Our approach
Security and privacy are design defaults, not add-ons. We aim to collect the minimum data, process on your device wherever feasible, and rigorously protect whatever we do hold.
Data protection
- Encryption in transit (TLS) and at rest.
- Least-privilege access to systems and data, with access logged.
- Secrets are kept out of source code and application logs.
Infrastructure
We build on reputable cloud providers, keep dependencies patched, and prefer a small, auditable surface over sprawling third-party integrations.
How this website is built
This site ships with a strict Content-Security-Policy, no third-party scripts or trackers, and modern security headers (such as X-Content-Type-Options: nosniff). It sets no tracking cookies.
Responsible disclosure
Found a vulnerability? We'd genuinely like to hear from you. Email security@riverbold.co with details and steps to reproduce.
- Please give us a reasonable opportunity to fix the issue before any public disclosure.
- We won't pursue legal action against good-faith research that respects user privacy and avoids service disruption.
- We aim to acknowledge reports within 3 business days.
A machine-readable contact is published at /.well-known/security.txt.
Compliance
We're building toward recognized standards (such as SOC 2) as we grow, and will update this page as we formalize them.
Contact
Security questions or reports: security@riverbold.co.