Trust Center
We back our security claims with verifiable resources, not badges. This page gathers our policies, live system status, technical architecture, and the service providers we work with in one place — and states plainly what we do not yet have.
Verification resources
To check a claim, don't read marketing copy — go to the sources below.
Vulnerability Disclosure
Scope, safe-harbor principles, and the private reporting process.
Live System Status
Current service health and 90 days of uptime history.
Technical Architecture
Encryption details, threat model, and known limits of both the offline Bluetooth path and the internet layer.
Privacy Policy
What data lives where, when it is shared, and how it is deleted.
security.txt
RFC 9116-compliant, machine-readable security contact record.
Open Source Code
The mobile client is on GitHub under AGPL-3.0; claims can be audited from the code itself.
Contact the Security Team
Direct channel for security findings: security@crisisconnect.network
Our security practices
- Messaging is end-to-end encrypted on both supported paths: internet messages travel as encrypted envelopes the server cannot read, and Bluetooth messages go directly device to device.
- In ordinary civilian nearby messaging, message history is not mirrored to a central server; data primarily stays on your device.
- The mobile client's source code is public under the AGPL-3.0 license; encryption claims can be reviewed independently.
- An RFC 9116 security.txt record and a published vulnerability disclosure policy give researchers a defined reporting path.
- System health is published on a live status page fed by public endpoints.
- There are no ads, no tracking-based revenue model, and no selling of data.
Service providers and hosting
We work with the following third-party service providers (subprocessors) to deliver the service. End-to-end encrypted content cannot be read by these providers; this page is updated when the list changes.
| Provider | Purpose | Location |
|---|---|---|
| Google Firebase (Google LLC) | Authentication, database, storage, cloud functions, notifications, website hosting, analytics, and crash reporting | USA (us-central1) |
| Cloudflare, Inc. | TURN media relay for internet calls | Global anycast network (US-based) |
| MapTiler AG | Map tile delivery | Switzerland (global CDN) |
| CARTO | Base map tiles for the web dashboard maps | Global CDN |
| Google Play · Apple App Store | App distribution and updates | Global |
What we don't have yet
We won't claim what we don't have. As of today:
- We have not yet published an independent security audit or penetration-test report; it is the top trust investment on our roadmap.
- We hold no ISO 27001 or SOC 2 certification.
- We do not run a paid bug bounty program; the responsible disclosure process is defined on the security page.
This page makes no new claims; it only gathers existing, verifiable resources in one place.