Security at LockedIn

Last updated: February 18, 2026

Your Security, Our Priority

At LockedIn, we take the security of your personal data seriously. Your habits, journal entries, goals, and conversations are deeply personal, and we believe you deserve to know exactly how we protect them. We use multiple layers of security to safeguard your information at every step -- from the moment it leaves your device to how it is stored on our servers.

Encrypted Authentication

We use industry-standard OAuth 2.0 authentication through trusted providers like Google and Apple. This means we never store your password -- your credentials are managed entirely by your chosen provider.

• Authentication tokens are cryptographically generated 64-character random strings, making them virtually impossible to guess or forge
• On mobile devices, your authentication token is encrypted and stored in the device's secure keychain, a hardware-backed vault designed to protect sensitive credentials
• Tokens automatically expire after 90 days, limiting the window of exposure even if a token were compromised
• Expired tokens are automatically cleaned up from our servers, ensuring stale credentials are never left behind

Data Encryption

Your data is protected both in transit and at rest:

• All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security), the same standard used by banks and financial institutions
• Database connections are encrypted, ensuring your data remains secure even as it moves between internal systems
• Sensitive data is never exposed in API responses -- internal identifiers and system details are stripped before any information reaches your device

Attack Prevention

We employ several proactive measures to defend against common attack vectors:

• Rate limiting protects against brute-force attacks and abuse. General API requests are limited to 200 requests per 15 minutes, authentication endpoints to 20 per 15 minutes, and AI-powered features to 10 per minute
• Security headers (powered by Helmet) protect against cross-site scripting (XSS), clickjacking, and MIME-type sniffing
• Input validation prevents injection attacks by enforcing strict schemas and size limits on all user-submitted data
• CORS (Cross-Origin Resource Sharing) restricts API access to authorized domains only, preventing unauthorized websites from making requests on your behalf

Session and Cookie Security

Your login session is protected by multiple layers of cookie security:

• HTTP-only cookies prevent malicious scripts from accessing your session data through JavaScript
• The Secure flag ensures your cookies are only transmitted over encrypted HTTPS connections, never over unprotected channels
• SameSite protection guards against cross-site request forgery (CSRF) attacks by restricting how cookies are sent with cross-origin requests
• Sessions expire after inactivity, so if you forget to log out, your account is still protected

Privacy by Design

Security and privacy are built into the foundation of LockedIn, not added as an afterthought:

• API responses are sanitized to strip internal identifiers and system metadata before reaching your device
• Sensitive routes -- including authentication, journals, and conversations -- are excluded from request logging to protect your most private data
• Error messages never reveal internal system details, preventing potential attackers from learning about our infrastructure
• Minimal data collection -- we only store the information necessary to provide the service. We do not collect data for advertising or profiling purposes

Infrastructure Security

Our backend infrastructure is designed for reliability and security:

• Your data is stored in a PostgreSQL database hosted on professionally managed infrastructure with enterprise-grade security controls
• We perform regular security updates and monitoring to address vulnerabilities and ensure system integrity
• Expired credentials are automatically cleaned up, reducing the risk of stale tokens being exploited
• Rate-limited API endpoints prevent abuse and ensure fair access for all users

Your Role in Security

While we work hard to protect your data on our end, there are steps you can take to further strengthen the security of your account:

• Use a strong device passcode or biometric lock (fingerprint, face recognition) to protect access to your device and the LockedIn app
• Keep your operating system up to date -- security patches fix vulnerabilities that could put your data at risk
• Log out of the app on shared devices to prevent others from accessing your account
• Use a unique, strong password for your Google or Apple account, as these are the keys to your LockedIn account

Reporting Security Issues

We value the work of security researchers and the broader community in helping us maintain the safety of our platform. If you discover a potential security vulnerability, please report it to us responsibly.

Contact us at: security@locked-in.app

We will acknowledge your report promptly and work with you to understand and address the issue. We ask that you give us reasonable time to investigate and resolve the vulnerability before disclosing it publicly.