Security Information

Data Encryption

All communication between our App, your device, and our servers (as well as third-party services we integrate) is secured with TLS encryption (HTTPS). This means data transmitted is encrypted in transit to prevent eavesdropping. Additionally, sensitive data stored in our database (for example, authentication tokens or any stored personal details) is encrypted at rest by our hosting providers. We enforce the use of strong encryption protocols and ciphers to protect your information during network transmission.

Account Security

We employ a passwordless authentication system using magic links sent to your email. This eliminates the need for storing passwords in our system. However, it also means that access to your email equates to access to your account. User Responsibility: Please secure your email account with a strong password and (if possible) two-factor authentication. Never share access to your email. Once logged in, the App maintains a secure session token. We implement measures to protect these tokens (they are stored securely on your device and transmitted only over encrypted connections). If you suspect any unauthorized access to your email or account, contact us immediately and we can invalidate active sessions.

Payment Security

All payment transactions are handled by our merchant of record, LemonSqueezy. We never see or store your full payment card details. LemonSqueezy is PCI-DSS compliant and routes every checkout through an encrypted payment page hosted on their infrastructure. When you enter payment information, it is transmitted directly to LemonSqueezy; they return only tokenized transaction details, order IDs, and tax information so we can activate your subscription. We send transactional emails (receipts/invoices) for your records. If LemonSqueezy flags unusual payment activity (e.g., repeated failures or suspected fraud), we coordinate with them to alert you and, if necessary, pause billing until the issue is resolved.

Infrastructure and Data Storage

Our backend infrastructure is hosted on Supabase (a secure cloud platform built on PostgreSQL) and Microsoft Azure (for the EU cloud AI services). We leverage the robust security measures provided by these platforms:

• Access Control: Our databases and servers can only be accessed by authorized personnel. We use strong authentication (secure keys and/or multi-factor authentication) for administrative access. There are strict firewall rules in place – only necessary ports are open and only to specific services.
• Isolation: Your data is stored in a dedicated database schema for our application. Supabase provides row-level security features, and we have configured appropriate rules to ensure that each user's data is isolated and accessible only to them (for instance, your account details and settings are tied to your user ID).
• Encryption at Rest: The data stored in our databases and object storage is encrypted at rest by our providers. This means that if the storage media were ever accessed without authorization, the data would not be easily readable.
• Regular Backups: Our database service performs regular backups of the data to protect against accidental loss. These backups are encrypted and stored securely. In case of any data corruption or loss, we can restore from these backups. Backup files are subject to the same access restrictions as the live database.
• Monitoring and Logging: We use monitoring tools to keep track of server performance and potential security incidents. System logs and application logs are collected (and protected) to help us detect anomalies. For example, we log administrative access attempts and critical actions on the backend. If unusual activity is detected, alerts are generated for our team to investigate promptly.

Application Security

Our application code is developed following security best practices:

• We sanitize and validate inputs to protect against common web vulnerabilities (such as SQL injection or cross-site scripting attacks).
• Authentication tokens and API keys are stored securely and never exposed on the client side beyond what is necessary. For instance, your session token is stored in a secure HTTP-only cookie or a similar protected storage mechanism, and our internal API keys for third-party services are kept on the server side.
• We implement proper error handling to ensure that internal system messages do not leak sensitive information. Error logs are kept internal.
• The App’s software dependencies are kept up-to-date to incorporate the latest security patches. We periodically audit the libraries and frameworks we use for any known vulnerabilities.
• Our team follows a "principle of least privilege": even within our systems, each component or service has only the minimum level of access required to function. For example, our analytics scripts cannot read or modify private user data; they only collect usage stats.

Third-Party Services and Security

We integrate with third-party services for AI processing (OpenAI, Microsoft Azure), payments (LemonSqueezy), analytics (Google, Meta, Microsoft), and infrastructure (Supabase, Azure). We choose these providers in part due to their strong security reputations. For each:

• OpenAI & Azure: Both have robust security/compliance programs (Azure meets standards such as ISO 27001 and SOC, and OpenAI protects API traffic in transit and at rest). For Azure Direct Model deployments we use GPT-4.1-mini and GPT-4o-mini-transcribe in EU regions so prompts and completions stay in EU datacenters; only abuse-monitoring samples may be stored temporarily in the same geography.
• LemonSqueezy: As mentioned, LemonSqueezy is PCI-DSS compliant, manages VAT collection, and provides secure hosted checkout pages. We have a data processing addendum with LemonSqueezy that incorporates EU Standard Contractual Clauses.
• Supabase: Supabase is built on top of reputable cloud providers (like AWS or GCP); it employs encryption, network security groups, and regular audits. Our Supabase instance is accessible only via secure connections with API keys known to our App.
• Analytics Providers: Google Analytics, Meta Pixel, and Microsoft Clarity are all loaded only if you consent. They primarily collect interaction data and are sandboxed to prevent them from accessing any sensitive info from our App. We also use their latest versions which comply with browser security (for instance, they operate in their own domain context).
• We maintain contracts or terms with each provider that stipulate confidentiality and data security requirements. Where applicable, we've reviewed their compliance certifications (for example, Google and Microsoft’s ISO and SOC reports, OpenAI’s security info, etc.).

User Responsibility and Best Practices

While we are committed to securing our systems, the security of the experience also depends on you:

• Use a strong, unique password for your email account associated with the App.
• Do not share the magic login links. They provide direct access to your account. If you receive an email login link that you did not request, do not click it – it could indicate someone accidentally tried to log in with your email; in such a case, you can ignore it, and it will expire.
• Keep your devices secure. Use up-to-date anti-malware software and avoid using the App on devices you suspect are compromised.
• Be mindful of phishing: We will never ask you for your password (since you have none for our App) or credit card information via unsolicited emails. Always ensure that any login link or payment page is legitimate (for payments, we redirect to LemonSqueezy’s secure checkout or use their hosted widgets).
• Log out of the App if you are on a shared or public computer once you finish your session. Although our sessions expire automatically after a period, it’s safest to manually log out if others could access the device.

Incident Response

Despite preventative measures, security incidents can potentially occur (such as a new exploit that affects one of our components, or an account being compromised). We have an incident response plan:

• We monitor for alerts (e.g., unusual server activity, multiple failed logins, etc.).
• If a breach or incident is suspected or confirmed, we will:
  • Immediately work to contain and mitigate it (for example, by patching software, resetting tokens, or temporarily suspending service if needed to prevent further damage).
  • Investigate the scope and root cause of the incident using our logs and forensic techniques.
  • Inform users and authorities as required by law. If your data is affected by a serious breach, we will notify you in a timely manner and provide information on what happened and what steps to take.
  • Improve our systems to prevent future incidents (e.g., by applying additional safeguards learned from the incident).

We also welcome security feedback. If you discover a vulnerability or have security concerns, please reach out to us at info@dictata.com. We appreciate the help of users and security researchers in keeping our App safe, and we'll respond promptly to such reports.

Compliance and Certifications

We strive to comply with applicable security and privacy regulations:

• We follow GDPR guidelines for data protection (as detailed in our Privacy Policy).
• Although not formally certified, our practices align with common standards for software security. Our cloud providers (Azure, etc.) maintain certifications like ISO 27001, SOC 2, and more. By building on their platforms, we inherit some of these security controls.
• We regularly review our policies and procedures to ensure compliance with any new laws (for instance, the upcoming EU AI Act, if applicable, and updated data protection laws).

Conclusion

Your data’s security is a top priority for us. We are continuously working to maintain and improve the security of our App. We encourage you to review our Privacy Policy and this Security Information page to be aware of how your data is handled and protected.

If you have any further questions about our security measures, feel free to contact us at info@dictata.com. Stay safe!