Security
Security is foundational to CRRNCY Beauty. We've built multiple layers of protection to keep your wellness data safe and private.
On-device facial analysis - your photos never leave your phone
AES-256 encryption for all data at rest
TLS 1.3 encryption for all data in transit
SOC 2 Type II compliant infrastructure
How We Protect Your Data
Data Encryption
Your data is protected with industry-leading encryption standards.
In Transit
All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest and most secure transport layer protocol.
At Rest
Data stored on our servers is encrypted using AES-256 encryption. Database fields containing sensitive information have additional application-level encryption.
Key Management
Encryption keys are managed using industry-standard key management systems with regular rotation and strict access controls.
On-Device Processing
Your most sensitive data never leaves your device.
Facial Analysis
Glow Scans use on-device machine learning models to analyze your skin. Your photos and videos are processed entirely on your device and are never uploaded to our servers.
Vital Signs Measurement
Heart rate, HRV, respiratory rate, and SpO2 measurements are calculated locally using your device's camera. Only the numerical results are transmitted, never the video.
Biometric Data
We do not collect, store, or process biometric identifiers or facial recognition data. Your face is analyzed for skin metrics only, and this analysis happens entirely on your device.
Authentication & Access
Secure authentication powered by Clerk.
Multi-Factor Authentication
We support multi-factor authentication (MFA) for additional account security. Enable MFA in your account settings for enhanced protection.
Session Management
Sessions are securely managed with automatic expiration. You can view and revoke active sessions from your account settings.
Social Sign-In
Sign in securely with Google or Apple. We use OAuth 2.0 and never have access to your social account passwords.
Infrastructure Security
Enterprise-grade infrastructure with multiple layers of protection.
Cloud Infrastructure
Our services are hosted on Vercel and AWS, which maintain SOC 2 Type II, ISO 27001, and other security certifications.
Network Security
We use Cloudflare for DDoS protection, WAF (Web Application Firewall), and bot mitigation. All traffic is monitored for suspicious activity.
Database Security
Databases are isolated in private networks, accessible only through secure internal connections. Regular automated backups ensure data durability.
Application Security
Security is built into every layer of our application.
Secure Development
We follow secure coding practices and conduct regular code reviews. Dependencies are automatically scanned for vulnerabilities.
Input Validation
All user inputs are validated and sanitized to prevent injection attacks, XSS, and other common vulnerabilities.
API Security
Our APIs use authentication tokens, rate limiting, and input validation. All API endpoints are protected against common attack vectors.
Access Controls
Strict controls on who can access your data.
Principle of Least Privilege
Employees only have access to the data and systems necessary for their role. Access is regularly reviewed and revoked when no longer needed.
Audit Logging
All access to user data is logged and monitored. Logs are retained for security analysis and compliance purposes.
Background Checks
Employees with access to sensitive systems undergo background checks and security training.
Compliance
| Standard | Description | Status |
|---|---|---|
| GDPR | General Data Protection Regulation (EU) | Compliant |
| CCPA | California Consumer Privacy Act | Compliant |
| SOC 2 Type II | Service Organization Control (via infrastructure providers) | Compliant |
| HIPAA | Health Insurance Portability and Accountability Act | Not Applicable* |
*CRRNCY Beauty is a wellness application, not a medical device, and does not process protected health information (PHI) as defined by HIPAA.
Responsible Disclosure
We take security vulnerabilities seriously. If you believe you've found a security issue in CRRNCY Beauty, we encourage you to report it responsibly.
In Scope
- •crrncybeauty.com and all subdomains
- •CRRNCY Beauty iOS and Android applications
- •API endpoints (api.crrncybeauty.com)
- •Authentication and authorization issues
- •Data exposure vulnerabilities
- •Cross-site scripting (XSS)
- •SQL injection
- •Remote code execution
- •Server-side request forgery (SSRF)
Out of Scope
- •Social engineering attacks
- •Physical attacks against our offices or data centers
- •Denial of service attacks
- •Spam or social media impersonation
- •Rate limiting bypass without security impact
- •Missing security headers without demonstrable impact
- •SPF, DKIM, DMARC configuration issues
- •Clickjacking without sensitive action
- •Self-XSS
- •Third-party services we don't control
Reporting Guidelines
1. Report promptly: Email your findings to security@crrncybeauty.com
2. Provide details: Include steps to reproduce, potential impact, and any proof-of-concept code
3. Allow time: Give us reasonable time to investigate and fix the issue before public disclosure
4. Act in good faith: Don't access, modify, or delete data belonging to other users
What to Expect
- • Acknowledgment within 3 business days
- • Regular updates on our investigation
- • Credit in our security acknowledgments (if desired)
- • We do not currently offer a bug bounty program
Your Security Controls
Enable MFA
Add an extra layer of security to your account with multi-factor authentication.
Review Sessions
Check active sessions and sign out from devices you don't recognize.
Update Regularly
Keep your app updated to receive the latest security patches and improvements.
Strong Password
Use a unique, strong password for your CRRNCY Beauty account.
Security Questions or Concerns?
Our security team is here to help with any questions about how we protect your data.
security@crrncybeauty.com