Security Policy

Last updated: May 27, 2026

This Security Policy describes the controls Connex has in place to protect your data and maintain the integrity of the service.

1. Encryption

Data at Rest

Your most sensitive personal information — phone number and email address — is encrypted at rest using industry-standard authenticated encryption before being written to our database. Encryption keys are never stored in source code; they are managed as environment secrets on our infrastructure.

Authentication tokens are stored only as one-way cryptographic hashes. If our database were ever compromised, raw tokens would remain unknown and unusable to an attacker.

Data in Transit

All communication between your device and Connex servers is protected by HTTPS/TLS. Data in transit is never sent over unencrypted connections.

2. Authentication

Connex uses one-time passwords (OTP) for all authentication — there are no account passwords to steal or forget. OTPs are:

• Delivered via SMS, WhatsApp, or email
• Short-lived and expire automatically
• Invalidated immediately after a small number of incorrect attempts
• Never stored in plaintext and never written to logs

Repeated failed attempts trigger an automatic account lockout that prevents further login attempts for a period of time.

3. Rate Limiting and Abuse Prevention

We enforce rate limits across all sensitive operations — including OTP delivery, profile lookups, and connection requests — to protect against brute-force attacks, enumeration, and abuse. Limits are applied per user, per device, and per IP address.

4. Session Security

• Every login session is tied to a specific device and records an approximate location for your awareness
• You can view all active sessions from your profile and revoke any or all sessions at any time
• Logging out immediately invalidates your session — there is no delay or grace period before the session becomes inactive
• Session tokens rotate automatically and are single-use; reuse of an old token is rejected

5. Audit Logging

All sensitive account actions — including logins, logouts, contact changes, and account deletion — are recorded in a tamper-evident, append-only audit log. The integrity of the log is protected by cryptographic chaining; any modification to past records is detectable. Audit logs are retained for 7 years from the date of the event and then permanently purged, unless retention is required by applicable law.

6. Privacy of Your Data in Logs

Our application logs are designed to never capture personal information. Known sensitive fields — including phone numbers, email addresses, OTPs, and tokens — are automatically redacted before any log is written to storage.

7. Account Deletion and Data Removal

• Soft delete: Your account is hidden and disabled for 7 days. During this window you can either restore your account or trigger an immediate hard delete. After 7 days, your personal data is permanently purged automatically.
• Hard delete: Immediately and permanently wipes your personal data, uploaded files, and active sessions. This cannot be undone.
• After deletion, your connexCode is reserved for 30 days to prevent it from being claimed by someone else before your contacts are aware.

To request deletion of specific data fields without deleting your account, email info@connexapp.io with subject line "Data Deletion Request".

8. Third-Party Services

We use a small number of trusted third-party services to operate Connex (SMS delivery, email, payments, file storage, push notifications). All integrations:

• Use encrypted connections
• Are granted only the minimum permissions necessary
• Use credentials stored securely and never committed to source code

We do not sell your data to any third party. See our Privacy Policy for the full list of services and what data they receive.

9. Infrastructure

All databases, caches, and internal services operate within a private network and are not directly accessible from the public internet. File storage is private by default — uploaded files are never accessible via direct public URLs. Our primary infrastructure is hosted within India (DigitalOcean, Bangalore).

10. Vulnerability Disclosure

If you discover a security vulnerability in Connex, please report it to us responsibly before any public disclosure. We will investigate all reports promptly and will not take legal action against good-faith security researchers.

Email: support@connexapp.io
Subject line: [SECURITY]

Please include a description of the issue, steps to reproduce, and the potential impact. We will acknowledge your report within 48 hours and keep you informed as we investigate and remediate.

11. Security Incident Response

In the event of a confirmed breach or security incident:

• We will contain and assess the impact as quickly as possible
• Affected users will be notified within 72 hours of our becoming aware of the breach, where required by law
• In the event of a personal data breach as defined under the DPDP Act 2023, Connex will report the breach to the Data Protection Board of India (DPBI) within 72 hours, in addition to notifying affected users
• We will disclose what data was affected, the likely cause, and the steps we have taken
• Affected sessions and tokens will be invalidated immediately

12. Contact

Security reports & privacy enquiries: support@connexapp.io
Grievance: grievance@connexapp.io
Website: https://connexapp.io