Security

1. Encryption

Data at Rest

Your most sensitive personal information — phone number and email address — is encrypted at rest using industry-standard authenticated encryption before being written to our database. Encryption keys are never stored in source code; they are managed as environment secrets on our infrastructure.

Authentication tokens are stored only as one-way cryptographic hashes. If our database were ever compromised, raw tokens would remain unknown and unusable to an attacker.

Data in Transit

All communication between your device and Connex servers is protected by HTTPS/TLS. Data in transit is never sent over unencrypted connections.

2. Authentication

Connex uses one-time passwords (OTP) for all authentication — there are no account passwords to steal or forget. OTPs are:

• Delivered via SMS or email
• Short-lived and expire automatically
• Invalidated immediately after a small number of incorrect attempts
• Never stored in plaintext and never written to logs

Repeated failed attempts trigger an automatic account lockout that prevents further login attempts for a period of time.

3. Rate Limiting and Abuse Prevention

We enforce rate limits across all sensitive operations — including OTP delivery, profile lookups, and connection requests — to protect against brute-force attacks, enumeration, and abuse. Limits are applied per user, per device, and per IP address.

4. Session Security

• Every login session is tied to a specific device and records an approximate location for your awareness
• You can view all active sessions from your profile and revoke any or all sessions at any time
• Logging out immediately invalidates your session — there is no delay or grace period before the session becomes inactive
• Session tokens rotate automatically and are single-use; reuse of an old token is rejected

5. Audit Logging

All sensitive account actions — including logins, logouts, contact changes, and account deletion — are recorded in a tamper-evident, append-only audit log. The integrity of the log is protected by cryptographic chaining; any modification to past records is detectable. Audit logs are never deleted.

6. Privacy of Your Data in Logs

Our application logs are designed to never capture personal information. Known sensitive fields — including phone numbers, email addresses, OTPs, and tokens — are automatically redacted before any log is written to storage.

7. Account Deletion

• Soft delete: Your account is hidden and disabled for 7 days, during which you can restore it yourself. After 7 days, personal data is permanently purged by an automated process.
• Hard delete: Immediately and permanently wipes your personal data, uploaded files, and active sessions. This cannot be undone.
• After deletion, your ConnexCode is reserved for a period of time to prevent it from being claimed by someone else before your contacts are aware.

8. Third-Party Services

We use a small number of trusted third-party services to operate Connex (SMS delivery, email, payments, file storage, push notifications). All integrations:

• Use encrypted connections
• Are granted only the minimum permissions necessary
• Use credentials stored securely and never committed to source code

We do not sell your data to any third party. See our Privacy Policy for the full list of services and what data they receive.

9. Infrastructure

All databases, caches, and internal services operate within a private network and are not directly accessible from the public internet. File storage is private by default — uploaded files are never accessible via direct public URLs.

10. Vulnerability Disclosure

If you discover a security vulnerability in Connex, please report it to us responsibly before any public disclosure. We will investigate all reports promptly.

• Email: security@connexapp.in
• Subject line: [SECURITY] <brief description>

Please include a description of the issue, steps to reproduce, and the potential impact. We will acknowledge your report within 48 hours and keep you informed as we investigate and remediate.

11. Security Incident Response

In the event of a confirmed breach or security incident:

1. We will contain and assess the impact as quickly as possible
2. Affected users will be notified within 72 hours where required by law
3. We will disclose what data was affected, the likely cause, and the steps we have taken
4. Affected sessions and tokens will be invalidated immediately

12. Contact

• Security reports: security@connexapp.in
• Privacy enquiries: privacy@connexapp.in
• Website: connexapp.in