Security and Compliance
Effective March 31, 2026
This document outlines our commitment to safeguarding the security and privacy of the data you entrust to us. Here, you will find detailed information about how we host and manage our services, our compliance with international security standards, our data protection practices, and the measures we take to ensure the integrity and availability of our systems.
Hosting
Our application components are hosted across multiple services:
- Cloudflare: Serves static assets and client-side code via Cloudflare Workers. Also provides DNS, DDoS protection, and load balancing across our server fleet.
- Firebase: Manages user authentication and backend functionalities.
- Hetzner: Provides dedicated server infrastructure across multiple global locations.
- MongoDB Atlas: Stores application data on clusters, hosted on Google Cloud Platform.
Server Locations
Our backend servers are distributed across four locations on three continents, with traffic routed through Cloudflare’s global load balancer for low-latency connections:
- Falkenstein, Germany (EU)
- Helsinki, Finland (EU)
- Ashburn, Virginia, USA (US)
- Singapore (APAC)
Authentication
Users can access our Services using either Email/Password authentication or Google OAuth 2.0. Currently, we do not support Two-Factor Authentication.
Session Management
Session tokens are automatically renewed unless explicitly revoked by the user. We implement an invalid password lockout policy to enhance security.
Compliance Certifications
Our servers and infrastructure providers are compliant with major security standards:
- Cloudflare: SOC 2 Type 2 and ISO 27001 certified. More Info
- Hetzner: ISO 27001 certified. More Info
- Firebase: ISO 27001, SOC 1, SOC 2, and SOC 3 compliant. More Info
- MongoDB Atlas: SOC 2 Type 2 and ISO 27001 certified. More Info
Data Storage
Data related to rooms (titles, customization, timers, messages, logs) is stored on MongoDB Atlas clusters located in South Carolina (us-east1), with backups retained for three months. Images (custom logos, backgrounds, etc.) are stored in a Google Cloud Platform storage bucket under an “EU (multiple regions in European Union)” policy.
Retention Policy
- Active data: Retained for as long as the associated account or room exists.
- Data you delete: Content you delete (rooms, timers, messages, etc.) is soft-deleted and recoverable for 30 days, after which it is permanently removed from our databases.
- Deleted or removed accounts: When an account is deleted, all data connected to it (and the content within it) is removed from our databases within 30 days. Any remaining copies are cleared from our backups within three months.
- Backups: Snapshots are taken hourly, weekly, and monthly, and are deleted after three months (see Backup and Recovery for the full schedule).
- Third-party providers: Providers we rely on (e.g. for backups) may retain data slightly longer for a reasonable period.
Security Practices
- Desktop App: Available for Mac and Windows, it operates solely on the local file system without cloud interaction. It periodically checks for updates via HTTP requests, but blocking these requests does not affect app functionality.
Backup and Recovery
Our data recovery strategy includes:
- Hourly Snapshots: Taken every 6 hours with a retention period of 7 days.
- Weekly Snapshots: Taken every Saturday with a retention period of 4 weeks.
- Monthly Snapshots: Taken on the last day of each month with a retention period of 3 months.
System Integrity and Redundancy
- Testing: We perform automated tests prior to any system update to ensure the integrity of critical functions.
- Redundancy: Critical systems maintain at least triple redundancy to guarantee high availability. Our system’s reliability can be monitored on our status page.
Security Measures
- Data Encryption: All data in transit is encrypted using SSL. However, data stored on our systems is not encrypted at rest but is safeguarded through strong authentication and security protocols.
- Third-Party Access: Access to live user data is strictly limited to authorized staff. Confidentiality agreements are in place with contractors and business associates, and where feasible, they work on test or anonymized data to prevent unauthorized access to sensitive information.
For more details on which third-party services we use that may receive personal information, please refer to our Privacy Policy.