Security

All traffic to the Service is encrypted with TLS. Data stored in our managed database and storage layers is encrypted at rest using industry-standard ciphers managed by our cloud providers.

Accounts are protected with email-based authentication. Passwords are never stored in plaintext and are hashed by our identity provider. Sessions are managed with secure, short-lived tokens.

Customer data is isolated per account. Database access is governed by row-level security so that users can only read or write data scoped to their own account. Administrative access by our team is limited to the minimum required and is logged.

Payments are processed by a PCI-DSS compliant provider. Card details are entered directly into the provider’s secure elements; we never see, store, or transmit raw card numbers.

The Service runs on managed cloud infrastructure with automated backups, monitoring, and DDoS protection. Edge functions run in sandboxed environments and follow least-privilege principles.

We use code review, dependency scanning, and automated tests. Secrets are stored in a managed secret store and never committed to source control.

If a security incident affects your data, we will investigate, contain, and notify affected customers and, where required, regulators within the timeframes required by applicable law.

• Use a strong, unique password and keep it private;
• Sign out of shared devices;
• Notify us promptly if you suspect unauthorised account access.

We welcome responsible disclosure. If you believe you have found a security issue, please report it to mahi@coruscant.ch with steps to reproduce. Please do not publish the issue until we have had a reasonable opportunity to investigate and respond. We will not pursue legal action against good-faith security researchers acting in line with this policy.