Security

How we protect your data and how to report vulnerabilities.

Our Security Practices

Security is fundamental to Aiffinity. We implement multiple layers of protection to keep your data safe:

• End-to-end encryption — all user-to-user messages are encrypted so that only the sender and recipient(s) can read them. We cannot access message content at any point.
• Encryption at rest — all stored data is encrypted using AES-256. Personally identifiable information (PII) is encrypted with dedicated per-field encryption keys managed through AWS Key Management Service (KMS).
• Encryption in transit — all network communications use TLS 1.2 or higher.
• Infrastructure isolation — our services run on isolated infrastructure in the AWS EU-West-1 (Ireland) region with strict network policies and access controls.
• Least privilege access — internal access to systems and data follows the principle of least privilege. All administrative access requires multi-factor authentication.
• Key rotation — encryption keys are rotated automatically every 90 days.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in Aiffinity, we ask that you disclose it to us responsibly so we can address it before it is publicly disclosed.

How to Report

Please report security vulnerabilities by email to:

security@aiffinity.me

Include the following information in your report:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any proof-of-concept code, screenshots, or logs that help demonstrate the issue
• Your name and contact information (optional, but helpful for follow-up)

What to Expect

• Acknowledgement — we will acknowledge receipt of your report within 2 business days.
• Assessment — we will investigate and assess the severity of the vulnerability within 5 business days.
• Updates — we will keep you informed of our progress and expected resolution timeline.
• Resolution — we aim to resolve critical vulnerabilities within 30 days of confirmation.
• Credit — with your permission, we will credit you for the discovery once the vulnerability is resolved.

Scope

The following are in scope for responsible disclosure:

• The Aiffinity mobile application (iOS and Android)
• Aiffinity API endpoints (api.aiffinity.me)
• Aiffinity WebSocket gateway (ws.aiffinity.me)
• Aiffinity websites (aiffinity.me, docs.aiffinity.me)

Out of Scope

Please do not:

• Perform denial-of-service (DoS/DDoS) attacks
• Access, modify, or delete other users' data
• Perform physical security attacks
• Use social engineering against our employees or users
• Send unsolicited messages to users as part of testing
• Publicly disclose a vulnerability before it has been resolved

Data Protection

For detailed information about how we handle your data, see our Privacy Policy. Key highlights:

• All data is stored in the EU (AWS Ireland)
• We comply with GDPR and the Swiss Federal Act on Data Protection (FADP)
• You can export or delete your data at any time
• We do not sell your data or use it for advertising

Contact

• Security issues: security@aiffinity.me
• Privacy inquiries: privacy@aiffinity.me
• Data Protection Officer: dpo@aiffinity.me

CAPX Holding
Oberallmendstrasse 18
6300 Zug
Switzerland