Trust & Transparency

Trust Center

We back our security claims with verifiable resources, not badges. This page gathers our policies, live system status, technical architecture, and the service providers we work with in one place — and states plainly what we do not yet have.

Our security practices

  • Messaging is end-to-end encrypted on both supported paths: internet messages travel as encrypted envelopes the server cannot read, and Bluetooth messages go directly device to device.
  • In ordinary civilian nearby messaging, message history is not mirrored to a central server; data primarily stays on your device.
  • The mobile client's source code is public under the AGPL-3.0 license; encryption claims can be reviewed independently.
  • An RFC 9116 security.txt record and a published vulnerability disclosure policy give researchers a defined reporting path.
  • System health is published on a live status page fed by public endpoints.
  • There are no ads, no tracking-based revenue model, and no selling of data.

Service providers and hosting

We work with the following third-party service providers (subprocessors) to deliver the service. End-to-end encrypted content cannot be read by these providers; this page is updated when the list changes.

ProviderPurposeLocation
Google Firebase (Google LLC)Authentication, database, storage, cloud functions, notifications, website hosting, analytics, and crash reportingUSA (us-central1)
Cloudflare, Inc.TURN media relay for internet callsGlobal anycast network (US-based)
MapTiler AGMap tile deliverySwitzerland (global CDN)
CARTOBase map tiles for the web dashboard mapsGlobal CDN
Google Play · Apple App StoreApp distribution and updatesGlobal

What we don't have yet

We won't claim what we don't have. As of today:

  • We have not yet published an independent security audit or penetration-test report; it is the top trust investment on our roadmap.
  • We hold no ISO 27001 or SOC 2 certification.
  • We do not run a paid bug bounty program; the responsible disclosure process is defined on the security page.

This page makes no new claims; it only gathers existing, verifiable resources in one place.

Trust Center | Crisis Connect