Security
1. Encryption in Transit
All client-server communications are encrypted using TLS (Transport Layer Security). Our canonical URL is https://ozmate.app, and we operate exclusively over HTTPS. Plaintext communication is not permitted.
2. Authentication and Access Control
- Firebase Authentication: Email/password authentication with server-side password hashing.
- Two-Factor Authentication (2FA): TOTP authenticator apps and SMS verification are supported.
- Firestore Security Rules: Database access is controlled by server-side rules that enforce per-resource authorization for each authenticated user.
- Administrative access: Access to user data is restricted to authorized personnel only.
3. App Integrity Verification
Firebase App Check is enabled to verify that requests to our servers originate from authentic OZmate app instances, mitigating requests from unauthorized clients.
4. Data Protection
- Passwords are stored as cryptographic hashes. Plaintext passwords are never stored.
- Firebase infrastructure provides encryption at rest.
- Data retention periods are managed as described in our Privacy Policy.
- Account deletion follows the data removal procedures in our Privacy Policy.
5. Link Integrity
Universal Links are verified through continuous validation of the Apple App Site Association (AASA) file. Only approved navigation paths are operated as official links, preventing unauthorized deep link transitions.
6. Incident Response
In the event of a security incident, we promptly assess the scope of impact and implement necessary countermeasures. Affected users are notified in accordance with applicable law.
7. Vulnerability Reporting
If you discover a security vulnerability or concern, please report it with reproducible steps to:
We will investigate and respond promptly. We appreciate responsible disclosure from the security community.