Security
Last updated: May 6, 2026
1. Our Commitment to Security
At Kounisou, we take security seriously. We handle sensitive health data and personal information, and we're committed to protecting it with industry-leading security practices.
This page outlines our security measures and how to report security vulnerabilities.
2. Encryption
2.1 Data in Transit
- All data transmitted between your device and our servers is encrypted using TLS 1.3
- We enforce HTTPS for all web traffic and reject insecure connections
- Mobile apps use certificate pinning to prevent man-in-the-middle attacks
2.2 Data at Rest
- All database data is encrypted at rest using AES-256
- File storage uses server-side encryption
- Backups are encrypted before being written to storage
- Encryption keys are managed separately from encrypted data
3. Authentication & Access Control
3.1 User Authentication
- Passwords are hashed using bcrypt with strong work factors
- We enforce minimum password strength requirements
- Multi-factor authentication (MFA) via TOTP authenticator app is available for all accounts — enable it in Settings → Security
- Session tokens expire after inactivity
- Password reset links are single-use and expire after 1 hour
3.2 Authorization
- Row-level security (RLS) is enforced on all database tables
- Users can only access data they own or have been explicitly granted access to
- API endpoints validate user permissions before processing requests
- Role-based access control (RBAC) for team accounts
3.3 API Security
- API keys are hashed before storage
- Rate limiting on all API endpoints
- API requests require authentication via bearer tokens
- Input validation and sanitization on all user-provided data
4. Infrastructure Security
4.1 Network Security
- Web Application Firewall (WAF) protects against common attacks
- DDoS protection at the network edge
- Intrusion detection and prevention systems
- Database access restricted to application servers only (no public access)
4.2 Application Security
- Content Security Policy (CSP) headers to prevent XSS attacks
- CSRF protection on all state-changing operations
- SQL injection prevention via parameterized queries
- Secure headers (HSTS, X-Frame-Options, X-Content-Type-Options)
- Input validation using schema validation libraries
4.3 Monitoring & Logging
- Real-time error tracking and performance monitoring
- Security event logging (failed login attempts, permission violations)
- Automated alerts for suspicious activity
- Logs are retained for security analysis but anonymized where possible
5. Data Protection
5.1 Privacy by Design
- Minimal data collection — we only collect what's necessary
- Data anonymization for analytics and aggregated statistics
- Automatic data deletion after account termination (30-day grace period)
- GDPR and CCPA compliance built into our data handling processes
5.2 Third-Party Security
- All third-party services are vetted for security and compliance
- Data Processing Agreements (DPAs) with all service providers
- We do not share data with advertising networks or data brokers
- Payment processing is handled by PCI-DSS compliant providers (we never see card numbers)
6. Incident Response
In the event of a security incident:
- We have an incident response plan to contain, investigate, and remediate the issue
- Affected users will be notified within 72 hours (GDPR requirement)
- We will transparently communicate what happened, what data was affected, and what we're doing to prevent recurrence
- Regulatory authorities will be notified as required by law
7. Responsible Disclosure Program
We welcome security researchers to help us improve our security. If you discover a security vulnerability, please report it responsibly.
7.1 How to Report
- Email: security@kounisou.com
- Include detailed steps to reproduce the vulnerability
- Provide your name/handle if you'd like to be credited (optional)
7.2 What to Expect
- We will acknowledge your report within 48 hours
- We will investigate and provide updates on our progress
- We will credit you in our security acknowledgments (if you wish)
- We will not take legal action against researchers who follow responsible disclosure
7.3 Scope
In-scope vulnerabilities:
- Authentication bypass or privilege escalation
- Data leakage or unauthorized access
- Injection vulnerabilities (SQL, XSS, command injection, etc.)
- CSRF, SSRF, or insecure direct object references (IDOR)
- Cryptographic weaknesses
- Remote code execution
Out-of-scope:
- Social engineering, phishing, or physical attacks
- Denial of service (DoS/DDoS)
- Spam or social engineering attacks against our users
- Issues in third-party services (report to the service provider)
- Issues requiring unlikely user interaction or configuration
7.4 Rules of Engagement
- Do not access, modify, or delete data belonging to other users
- Do not disrupt our service or perform actions that could harm users
- Do not publicly disclose the vulnerability until we've had time to fix it
- Use a test account or your own account for testing
- Report the vulnerability as soon as possible after discovery
8. Security.txt
We publish a machine-readable security.txt file at /.well-known/security.txt for automated vulnerability reporting.
9. Security Updates
- We regularly update our dependencies to patch known vulnerabilities
- Automated vulnerability scanning runs on every code change
- Critical security patches are deployed within 24 hours of discovery
- We subscribe to security advisories for all technologies we use
10. Contact
For security-related inquiries:
- Security Team: security@kounisou.com
- General Support: support@kounisou.com
Security is a continuous process. We're committed to staying ahead of threats and protecting your data. If you have suggestions for improving our security, we'd love to hear from you.