Security
Architecture choices that reduce risk
- No bank credentials, ever. DuelyNoted has no bank-linking capability, so there are no bank passwords or transaction feeds to protect.
- Manual data only. You choose what to enter; nothing is scraped or imported.
- Minimal permissions. The app requests notification permission only — no location, contacts, camera or microphone.
Technical measures
- All traffic between the app and our backend is encrypted with TLS (HTTPS only)
- Data is stored encrypted at rest on Supabase (AWS, EU-Ireland)
- Row-level security on every table: each database query is scoped to the signed-in user by the database itself, not just by app code
- Your session on the device is AES-256 encrypted, with the key held in the platform keychain/keystore
- Passwords are hashed by Supabase Auth (bcrypt); we never see or store plain-text passwords
- Account deletion runs through a protected server-side function that verifies your identity token before erasing data
- Administrative roles are enforced server-side in the database, never by the app UI alone
Reporting a vulnerability
If you believe you have found a security issue, email privacy@duelynoted.app with "SECURITY" in the subject. Please give us reasonable time to investigate and fix before public disclosure. We take every report seriously and will respond within 2 business days.
No system can be guaranteed 100% secure, but we design so that the impact of any single failure stays small — and so that the most sensitive categories of financial data simply never enter the system.