Security

Effective: 2026-06-01

This page describes how we protect Fizeek AI accounts, the systems that run the app, and the data you put into it.

Encryption

• In transit: All traffic between the app, website, and our servers uses TLS 1.3 with modern cipher suites. HSTS is enabled on fizeek.ai.
• At rest: Data is encrypted with AES-256-GCM at the storage layer. Keys are managed by our cloud provider's HSM-backed key service (AWS KMS / GCP KMS) with per-environment isolation and rotation.
• In your device: Local app data (cached workouts, draft logs) sits inside the app's sandbox protected by iOS / Android keystore.

Authentication

• Passwords are stored as bcrypt hashes (cost factor 12+), never in plaintext.
• Multi-factor authentication (TOTP) is supported and recommended.
• Sessions use rotating refresh tokens; you can revoke any session from Settings → Devices.
• Suspicious sign-in attempts trigger an email and step-up verification.

Infrastructure

• We host on a Tier-1 cloud provider in the EU (primary) and India (secondary). No application servers run outside ISO 27001-certified facilities.
• The application runs in private VPCs. Databases are not exposed to the public internet.
• Production access is restricted to a small, named engineering group, gated by SSO + MFA, and every access is logged.
• We separate environments (production, staging, development) with no production data outside production.

Application security

• Static analysis, dependency scanning, and secret detection run on every pull request.
• Regular third-party penetration tests before each major release, with remediation tracked to closure.
• All third-party SDKs are reviewed before inclusion; we minimise their data access.

Data minimisation

• We collect only what we need to operate the Service (see Privacy Policy).
• AI providers receive the minimum context needed; identifiers are stripped where possible.
• We use zero-retention API tiers from our AI providers where available, so prompts are not retained beyond the request lifecycle.

Breach notification

If we discover a personal-data breach that is likely to result in risk to your rights, we will notify our supervisory authority within 72 hours and inform affected users without undue delay — as required by GDPR Article 33–34 and equivalent laws.

Responsible disclosure

If you find a security issue, please report it to contact@wisnolect.com with a clear description and proof-of-concept. We commit to:

• Acknowledge your report within 2 business days.
• Triage and respond with a timeline within 7 business days.
• Not pursue legal action against good-faith researchers who:
  • Do not access more user data than necessary to demonstrate the vulnerability.
  • Do not degrade the service or affect other users.
  • Give us a reasonable window to fix before public disclosure.

Hall-of-fame credits on request.

Backups and continuity

• Encrypted, point-in-time backups every 24 hours with a retention of 30 days.
• Regularly tested restore procedures.
• Disaster-recovery plan with documented RPO ≤ 24h and RTO ≤ 8h.

Updates

We update this page when our practices change. The Effective date above will move.

Contact

• Security disclosures: contact@wisnolect.com
• General security questions: contact@wisnolect.com